SA-2008-063 - multiple third party modules - Access bypass due to incorrect Drupal 6 updates

Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user would otherwise be prohibited from seeing.

Drupal core is not affected. Disabling the affected modules provides an immediate workaround.

Versions affected

• Live module 6.x before version 6.x-1.0
• AJAX Picture Preview module 6.x before version 6.x-1.2
• Admin:hover module 6.x-1.x-dev before 2008-Oct-08
• Banner Rotor Module before version 6.x-1.3
• Creative Commons Lite module 6.x before version 6.x-1.1
• Keyboard shortcut utiilty module 6.x before version 6.x-1.1
• LiveJournal CrossPoster module 6.x before version 6.x-1.4
• Taxonomy import/export via XML module 6.x before version 6.x-1.2
• User Referral module 6.x-1.x-dev before 2008-Oct-08

Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do.

Solution

If you are running any of the modules from the list above, upgrade to the version specified in the list.

Important note

If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: <http://drupal.org/node/109157&gt;

Reported by

John Morahan and Peter Wolanin of the Drupal security team.