SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

This module enables you to quickly toggle various user, node and field related settings via ajax links.

The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn’t correctly implement support for the user status (allow/block) link.

This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.

All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.

CVE identifier(s) issued

• CVE-2014-5268

Versions affected

Drupal core is not affected. If you do not use the contributed Fasttoggle module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Fasttoggle module for Drupal 7.x, upgrade to Fasttoggle 7.x-1.5

Also see the Fasttoggle project page.

Reported by

• Laura Hild

Fixed by

• Nigel Cunningham the module maintainer

Coordinated by

• Neil Drumm of the Drupal Security Team
• David Stoline of the Drupal Security Team