• Advisory ID: DRUPAL-SA-CONTRIB-2017-031
• Project: Private (third-party module)
• Version: 7.x
• Date: 2017-March-15
• Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions.

The module doesn’t always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes may be editable in ways a site admin may not expect.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Private 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Private module 7.x-1.x your site may be at risk. The only completely safe option is to take the website off-line. In most cases, disabling the module will not mitigate the vulnerabilities as that will expose even more private information.
• A new maintainer has developed a beta secure version of the module using the 7.x-2.x branch. This is a partial rewrite and needs further testing. Please test it and provide bug reports and help developing patches.

Also see the Private project page.

Reported by

• Adam Shepherd

Fixed by

• Adam Shepherd The module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity