The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path.
Drupal websites using the CCK Comment Reference module are vulnerable to a critical access control bypass. Attackers can leverage a flaw in the module's autocomplete functionality to read sensitive comments that should be restricted, potentially leading to data breaches and information disclosure. This vulnerability affects both Drupal 5.x and 6.x versions, highlighting a significant risk for many older Drupal installations.
Step 1: Identify the Vulnerable Endpoint: The attacker identifies the autocomplete path associated with the CCK Comment Reference module. This is typically a predictable URL structure within the Drupal installation.
Step 2: Craft the Request: The attacker crafts a malicious request to the autocomplete endpoint. This request includes parameters that trigger the autocomplete functionality, such as a search term or a specific comment ID.
Step 3: Bypass Access Controls: The attacker's request bypasses the access control mechanisms intended to restrict comment visibility. The module fails to properly verify the user's permissions.
Step 4: Retrieve Comment Data: The autocomplete function returns comment data, including potentially sensitive information, to the attacker, regardless of their authorization level.
The vulnerability stems from a flawed implementation of access control within the CCK Comment Reference module when handling autocomplete requests. The module fails to properly validate user permissions when processing requests to the autocomplete path. Specifically, the code does not adequately check if the user has the necessary privileges to view the comments before returning them via the autocomplete function. This allows an unauthenticated or unauthorized user to query the autocomplete endpoint and retrieve comment data, effectively bypassing the intended access restrictions. The root cause is a missing or insufficient permission check within the autocomplete handler, leading to unauthorized data retrieval.