=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN127
_____________________________________________________________________

DATE                      : 10/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Simple access for Drupal.

======================================================================
http://drupal.org/node/244560
______________________________________________________________________

- ------------SA-2008-025 - SIMPLE ACCESS - ACCESS BYPASS------------

   * Advisory ID: DRUPAL-SA-2008-025

   * Project: Simple access (third-party module)

   * Version: 5.x-1.*

   * Date: 2008-April-09

   * Security risk: Moderately critical

   * Exploitable from: Remote

   * Vulnerability: Access bypass

- ------------DESCRIPTION------------

The Simple Access module is a node access module that allows 
administrators to
make some nodes private and/or editable by certain user roles.

The module contains a flaw that results in the privacy information for a 
node
being lost under certain conditions.  These conditions are usually 
triggered via
the interaction with other modules, such as Node clone [
http://drupal.org/project/node_clone ] or Project issue tracking [
http://drupal.org/project/project_issue ].

- ------------VERSIONS AFFECTED------------

   * Simple access for Drupal 5.x up to and including version 5.x-1.2-2

Drupal core is not affected. If you do not use the contributed Simple access
module, there is nothing you need to do.

- ------------SOLUTION------------

Install the latest version:
Simple access 5.x-1.3 [ http://drupal.org/node/244565 ]

See also the Simple access project page [
http://drupal.org/project/simple_access ].

- ------------REPORTED BY------------

Derek Wright [ http://drupal.org/user/46549 ] of the Drupal Security Team.

- ------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org 
or via
the form at [ http://drupal.org/contact ].

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================