A pair of modules included in the Drupal content management system have been updated to fix access bypass vulnerabilities that could allow an attacker to take actions on the behalf of some users.
One of the modules fixed is the Twitter module, which allows users to take a variety of actions, including pulling in public tweets and authenticating via Twitter. The bug is listed as moderately critical because the attacker would need to have permissions on the target system.
“The module doesn’t sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be posted to any authenticated account, not just one that the user owns,” the Drupal advisory says.
“The module also doesn’t sufficiently check for access when listing a user’s connected Twitter accounts, allowing any user to change the options for any other account, including deleting the attached Twitter account.”
The second module patched is the RESTful API module, which allows sites to expose their Drupal backends via the API. The bug affects versions 7.x-1.x versions prior to 7.x-1.3.
“The module doesn’t sufficiently account for core’s page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have their pages cached as anonymous users, and therefore allowing access to potentially restricted information during subsequent anonymous requests,” the advisory says.
These vulnerabilities don’t affect Drupal core, but just the modules themselves.