===================================================================== CERT-Renater Note d'Information No. 2009/VULN041 _____________________________________________________________________ DATE : 12/02/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running DRUPAL CORE. ====================================================================== http://drupal.org/node/372836 ______________________________________________________________________ - ---- SA-CORE-2009-002 DRUPAL CORE - ADMINISTER CONTENT TYPES PERMISSION ---- * Advisory ID: DRUPAL-SA-CORE-2009-002 * Project: Drupal core * Versions: 5.x and 6.x * Date: 2009-February-11 * Security risk: None - ---- DESCRIPTION ---- This is a public service announcement regarding the "administer content types" permission. The rise of the Content Construction Kit (CCK) and a legion of powerful CCK field modules have considerably extended the abilities of a user with this permission, with much of a site's behaviour now being configurable via the content types administration pages. The permission "administer content types" is therefore comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators. - ---- SOLUTION ---- Only grant trusted site administrators the "administer content types" permission. - ---- CONTACT ---- The security team for Drupal can be reached at security at drupal.org or via the form at [ http://drupal.org/contact ]. - -- ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================