Vigil@nce - Drupal Open Atrium: wrong merging of folder permissions
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can access to documents managed with Drupal Open
Atrium, in order to get private information.
Impacted products: Drupal Modules not comprehensive.
Severity: 2/4.
Creation date: 28/01/2016.
DESCRIPTION OF THE VULNERABILITY
The Open Atrium module can be installed on Drupal.
This module is used to define access rights to folders. A public
folder located in a private one should be private. However, it is
actually public.
An attacker can therefore access to documents managed with Drupal
Open Atrium, in order to get private information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Drupal-Open-Atrium-wrong-merging-of-folder-permissions-18832