[Sysadmin] [Security announcements] Bypass "view user profiles" permission
Drupal Security Team
security at drupal.org
Wed Nov 30 16:22:25 CST 2005
------------BYPASS \"VIEW USER PROFILES\" PERMISSION------------
* Advisory ID: DRUPAL-SA-2005-009
* Project: Drupal core
* Date: 2005-11-30
* Security risk: not critical
* Impact: normal
* Where: from remote
* Vulnerability: bypass access control
------------DESCRIPTION------------
Andrew Widdowson informed us that it's possible to bypass the 'access user
profile' permission if the server is running PHP5. No data can be changed
though.
------------VERSIONS AFFECTED------------
Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3
------------SOLUTION------------
If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4.
------------CONTACT------------
The security contact for Drupal can be reached at security at drupal.org or
using the form at http://drupal.org/contact.
More information is available from http://drupal.org/security or from our
security RSS feed http://drupal.org/security/rss.xml.
--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/9c03cd30a33509t44
More information about the Sysadmin
mailing list