• Advisory ID: DRUPAL-SA-2007-030
• Project: Drupal core
• Version: 4.7.x, 5.x
• Date: 2007-October-17
• Security risk: Not critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Versions affected

• Drupal 4.7.x before version 4.7.8
• Drupal 5.x before version 5.3.

Solution

Install the latest version:

• If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
• If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

• To patch Drupal 4.7.x use SA-2007-030-4.7.7.patch.
• To patch Drupal 5.2 use SA-2007-030-5.2.patch.

Reported by

The Drupal security team.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.