Vigil@nce - Drupal me aliases: privilege escalation via uncontrolled redirect
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use URLs handled by Drupal me aliases, in order to
access unauthorized content.
Impacted products: Drupal Modules not comprehensive.
Severity: 2/4.
Creation date: 25/06/2015.
DESCRIPTION OF THE VULNERABILITY
The me aliases module can be installed on Drupal.
This modules provides URL aliases. However, the module does not
check the permissions of pages that it provides references to.
An attacker can therefore use URLs handled by Drupal me aliases,
in order to access unauthorized content.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN