=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN271
_____________________________________________________________________

DATE                : 27/06/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Fast Permissions Administration for DRUPAL
                        versions 6.x, 7.x.

======================================================================
https://drupal.org/node/2028813
______________________________________________________________________

SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass
Posted by Drupal Security Team on June 26, 2013 at 3:41pm

    Advisory ID: DRUPAL-SA-CONTRIB-2013-054
    Project: Fast Permissions Administration (third-party module)
    Version: 6.x, 7.x
    Date: 2013-June-26
    Security risk: Highly critical
    Exploitable from: Remote
    Vulnerability: Access bypass


Description

The Fast Permissions Administration module enables you to use inline
filters on the permissions page, as well as loading the permissions
form through a modal dialog.

The module doesn't sufficiently check user access for the modal content
callback, allowing unauthorized access to the permissions edit form.

CVE identifier(s) issued

    A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.


Versions affected

    Fast Permissions Administration 6.x-2.x versions prior to 6.x-2.5.
    Fast Permissions Administration 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Fast
Permissions Administration module, there is nothing you need to do.


Solution

Install the latest version:

    If you use the Fast Permissions Administration module for Drupal
6.x, upgrade to Fast Permissions Administration 6.x-2.5
    If you use the Fast Permissions Administration module for Drupal
7.x, upgrade to Fast Permissions Administration 7.x-2.3

Also see the Fast Permissions Administration project page.


Reported by

    Philip Boden

Fixed by

    Corey Aufang the module maintainer

Coordinated by

    Klaus Purer of the Drupal Security Team


Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.


Categories: Drupal 6.x, Drupal 7.x

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================