The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the access printer-friendly version permission to read node titles and possibly node content via unspecified vectors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Drupal | Drupal | 6.0 (including) | 6.0 (including) |
| Drupal | Drupal | 6.0-beta1 (including) | 6.0-beta1 (including) |
| Drupal | Drupal | 6.0-beta2 (including) | 6.0-beta2 (including) |
| Drupal | Drupal | 6.0-beta3 (including) | 6.0-beta3 (including) |
| Drupal | Drupal | 6.0-beta4 (including) | 6.0-beta4 (including) |
| Drupal | Drupal | 6.0-dev (including) | 6.0-dev (including) |
| Drupal | Drupal | 6.0-rc1 (including) | 6.0-rc1 (including) |
| Drupal | Drupal | 6.0-rc2 (including) | 6.0-rc2 (including) |
| Drupal | Drupal | 6.0-rc3 (including) | 6.0-rc3 (including) |
| Drupal | Drupal | 6.0-rc4 (including) | 6.0-rc4 (including) |
| Drupal | Drupal | 6.1 (including) | 6.1 (including) |
| Drupal | Drupal | 6.2 (including) | 6.2 (including) |
| Drupal | Drupal | 6.3 (including) | 6.3 (including) |
| Drupal | Drupal | 6.4 (including) | 6.4 (including) |
| Drupal | Drupal | 6.5 (including) | 6.5 (including) |
| Drupal | Drupal | 6.6 (including) | 6.6 (including) |
| Drupal | Drupal | 6.7 (including) | 6.7 (including) |
| Drupal | Drupal | 6.8 (including) | 6.8 (including) |
| Drupal | Drupal | 6.9 (including) | 6.9 (including) |
| Drupal | Drupal | 6.10 (including) | 6.10 (including) |
| Drupal | Drupal | 6.11 (including) | 6.11 (including) |
| Drupal | Drupal | 6.12 (including) | 6.12 (including) |
| Drupal | Drupal | 6.13 (including) | 6.13 (including) |
| Drupal | Drupal | 6.14 (including) | 6.14 (including) |
| Drupal | Drupal | 6.15 (including) | 6.15 (including) |
| Drupal | Drupal | 6.16 (including) | 6.16 (including) |
| Drupal | Drupal | 6.17 (including) | 6.17 (including) |
| Drupal | Drupal | 6.18 (including) | 6.18 (including) |
| Drupal | Drupal | 6.19 (including) | 6.19 (including) |
| Drupal | Drupal | 6.20 (including) | 6.20 (including) |
| Drupal | Drupal | 6.21 (including) | 6.21 (including) |
| Drupal | Drupal | 6.22 (including) | 6.22 (including) |
| Drupal | Drupal | 6.23 (including) | 6.23 (including) |
| Drupal | Drupal | 6.24 (including) | 6.24 (including) |
| Drupal | Drupal | 6.25 (including) | 6.25 (including) |
| Drupal | Drupal | 6.26 (including) | 6.26 (including) |
| Drupal | Drupal | 6.27 (including) | 6.27 (including) |
| Drupal6 | Ubuntu | lucid | * |
| Drupal6 | Ubuntu | oneiric | * |
| Drupal6 | Ubuntu | precise | * |
| Drupal6 | Ubuntu | quantal | * |
| Drupal6 | Ubuntu | raring | * |
| Drupal6 | Ubuntu | upstream | * |
| Drupal7 | Ubuntu | precise | * |
| Drupal7 | Ubuntu | quantal | * |
| Drupal7 | Ubuntu | upstream | * |
References
- http://osvdb.org/89305
- http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html
- http://seclists.org/fulldisclosure/2013/Jan/120
- http://seclists.org/oss-sec/2013/q1/211
- http://secunia.com/advisories/51717
- http://www.debian.org/security/2013/dsa-2776
- https://drupal.org/SA-CORE-2013-001
- https://exchange.xforce.ibmcloud.com/vulnerabilities/81380
- http://osvdb.org/89305
- http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html
- http://seclists.org/fulldisclosure/2013/Jan/120
- http://seclists.org/oss-sec/2013/q1/211
- http://secunia.com/advisories/51717
- http://www.debian.org/security/2013/dsa-2776
- https://drupal.org/SA-CORE-2013-001
- https://exchange.xforce.ibmcloud.com/vulnerabilities/81380