Upgrade Your Drupal Skills
We trained 1,000+ Drupal Developers over the last decade.
See Advanced Courses NAH, I know EnoughSA-CORE-2009-002 Drupal core - Administer content types permission
- Advisory ID: DRUPAL-SA-CORE-2009-002
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2009-February-11
- Security risk: None
Description
This is a public service announcement regarding the "administer content types" permission. The rise of the Content Construction Kit (CCK) and a legion of powerful CCK field modules have considerably extended the abilities of a user with this permission, with much of a site's behaviour now being configurable via the content types administration pages.
The permission "administer content types" is therefore comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators.
Solution
Only grant trusted site administrators the "administer content types" permission.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
About Drupal Sun
Drupal Sun is an Evolving Web project. It allows you to:
- Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
- Facet based on tags, author, or feed
- Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
- View the entire article text inline, or in the context of the site where it was created
See the blog post at Evolving Web