=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN147
_____________________________________________________________________

DATE                      : 03/05/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Decisions for DRUPAL, Privatemsg for DRUPAL.

======================================================================
http://drupal.org/node/784446
http://drupal.org/node/784602
______________________________________________________________________
  * Advisory ID: DRUPAL-SA-CONTRIB-2010-037
  * Project: Decisions (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-April-28
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

- -------- DESCRIPTION
- ---------------------------------------------------------

Decisions is a replacement for poll.module and provides advanced voting
systems and decision-making tools. It aims to enable groups to take decisions
online in a manner that replicates and augments what is possible in
face-to-face meeting. In some listings, the Decisions module does not
construct its SQL query to respect node access restrictions, thus users can
see listings of nodes which should not be accessible to them.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Decisions for Drupal 5.x versions prior to 5.x-1.2
  * Decisions for Drupal 6.x versions prior to 6.x-1.7

Drupal core is not affected. If you do not use the contributed Decisions [1]
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version.
  * If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2 [2]
  * If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7 [3]

- -------- REPORTED BY
- ---------------------------------------------------------

  * Kirill Stealth [4]

- -------- FIXED BY
- ------------------------------------------------------------

  * Antoine Beaupré [5], module maintainer.
  * Ezra Barnett Gildesgame [6], module maintainer.

- -------- CONTACT
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/decisions
[2] http://drupal.org/node/784444
[3] http://drupal.org/node/783766
[4] http://drupal.org/user/205226
[5] http://drupal.org/user/1274
[6] http://drupal.org/user/69959

_____________________________________________________________________________
_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-038
  * Project: Privatemsg (third-party module)
  * Version: 6.x
  * Date: 2010-April-28
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

- -------- DESCRIPTION
- ---------------------------------------------------------

The Privatemsg module allows to send private messages between users.
Additionally, the sub module Privatemsg Email Notification sends e-mail
notification when such a message is sent. The page to configure the template
for these e-mails does not use the correct access permission which allows all
users with the read privatemsg permission to access and alter the settings on
that page.
- -------- VERSIONS AFFECTED
- ---------------------------------------------------

  * Privatemsg for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Privatemsg [1]
module, there is nothing you need to do.
- -------- SOLUTION
- ------------------------------------------------------------

Install the latest version.
  * If you use Privatemsg for Drupal 6.x upgrade to Privatemsg 6.x-1.2 [2]

- -------- REPORTED BY
- ---------------------------------------------------------

  * Lee Rowlands [3], module maintainer

- -------- FIXED BY
- ------------------------------------------------------------

  * Lee Rowlands [4], module maintainer.
  * Sascha Grossebacher [5], module maintainer.

- -------- CONTACT
- -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/privatemsg
[2] http://drupal.org/node/784598
[3] http://drupal.org/user/395439
[4] http://drupal.org/user/395439
[5] http://drupal.org/user/214652
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================