Forward - Access bypass

The Forward module is a module that allows site administrators to add links to postings that let users email the current page to a third party. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control, Taxonomy Access Lite, etc.

Versions affected

• Forward for Drupal 5.x before 5.x-1.0
• Forward for Drupal 4.7.x before 4.7-1.1

Drupal core is not affected. If you do not use the contributed Forward module, there is nothing you need to do.

Solution

Install the latest version:

• Forward 5.x-1.0
• Forward 4.7.x-1.1

See also the Forward project page.

Reported by

Drupal Security Team