SA-2007-030 (17 October 2007) API handling of unpublished comment.

Primary links

SA-2007-030 (17 October 2007) API handling of unpublished comment.

Advisory ID: DRUPAL-SA-2007-030
Project: Drupal core
Version: 4.6.x, 4.7.x, 5.x
Date: 2007-October-17
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Access bypass

The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status to mail out unpublished comments.

The official announcement for Drupal 4.7.x and 5.x is here, and the official patch for Drupal 4.7.x is here.

Considerations for Drupal 4.6

The same exploit seen in comment_save() in Drupal 4.7 is present in 4.6 via the function comment_post(), and therefore Drupal 4.6 must be patched against this vulnerability, using the same approach as the official 4.7 patch.

SA-2007-030-4.6.patch

Featured Project

The Pulitzer Prizes
The Pulitzer Prizes, awarded annually since 1917, are regarded among the highest honors in U.S. print journalism, literary achievement and musical composition. The Openflows Community Technology Lab has recently finished a re-implementation of their 15-year-old website using Drupal on a Linux, Apache, and MySQL platform, using free software to make their existing data more accessible, and to allow for continued expansion of the website's features and content.

Our Clients are The Bottom Line

One of the key things that makes OCTL different from many other Free Software/Open Source consulting groups is that we have no investors. We built the company based on labor and the needs of our clients.

At the end of the day, our decisions are not based on what is in the best interests of share holders, but on the commitments and relationships we have with the companies and organizations we work with.