SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles.

Users having the exact same role-combination like the superuser (uid=1) might access cached pages generated with the superuser. Therefore it might be possible that information is disclosed to those users intended only for the superuser.

This vulnerability is mitigated by the fact that an attacker must have the exact same role-combination like the superuser.

CVE identifier(s) issued

• CVE-2013-4226

Versions affected

• authcache 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Authenticated User Page Caching (Authcache) module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the authcache module for Drupal 7.x, upgrade to authcache 7.x-1.5

Also see the Authenticated User Page Caching (Authcache) project page.

Reported by

• Lorenz Schori the module maintainer

Fixed by

• Lorenz Schori the module maintainer

Coordinated by

• Ben Jeavons of the Drupal Security Team