Michael J. Orlitzky, Metro Data, Inc's  Chief of Network Operations reports and helps fix a Security Vulnerability in Drupal.  The complete vulnerability report can be found online: http://drupal.org/node/1782832

* Advisory ID: DRUPAL-SA-CONTRIB-2012-141
* Project: Mass Contact [1] (third-party module)
* Version: 6.x
* Date: 2012-September-12
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass

DESCRIPTION

This module allows anyone with permission to send a single message to
multiple users of a site, using its roles functionality.

The module doesn't sufficiently check permissions after the form has been
submitted.

This vulnerability is mitigated by the fact that an attacker must use a tool
of some kind (like the Tamper Data Firefox add-on) to intercept the form
submission request in order to modify the settings.

VERSIONS AFFECTED

* Mass Contact 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Mass Contact
[3] module, there is nothing you need to do.

SOLUTION

Install the latest version:
* If you use the Mass Contact module for Drupal 6.x, upgrade to Mass Contact 6.x-1.2 [4]

Also see the Mass Contact [5] project page.

REPORTED BY

* Michael Orlitzky [6]

FIXED BY

* Michael Orlitzky [7]

* Jason Flatt [8] the module maintainer

COORDINATED BY

* Greg Knaddison [9] of the Drupal Security Team

CONTACT AND MORE INFORMATION

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].  Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].


[1] http://drupal.org/project/mass_contact
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/mass_contact
[4] http://drupal.org/node/1782766
[5] http://drupal.org/project/mass_contact
[6] http://drupal.org/user/1731656
[7] http://drupal.org/user/1731656
[8] http://drupal.org/user/4649
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration

About Drupal

Drupal is an open-source content-management framework written in PHP and distributed under the GNU General Public License. It is used as a back-end framework for at least 2.1% of all Web sites worldwide ranging from personal blogs to corporate, political, and government sites including WhiteHouse.gov and data.gov.uk. It is also used for knowledge management and business collaboration.

The standard release of Drupal, known as Drupal core, contains basic features common to content management systems. These include user account registration and maintenance, menu management, RSS feeds, taxonomy, page layout customization, and system administration. The Drupal core installation can serve as a simple Web site, a single- or multi-user blog, an Internet forum, or a community Web site providing for user-generated content.

As of October 2014, there are more than 30,000 community-contributed addons, known as contributed modules, available to alter and extend Drupal's core capabilities and add new features or customize Drupal's behavior and appearance. The Drupal community has more than 1 million members (as of October 2013) and 31,000 Developers (as of February 2014).

About Metro Data, Inc.

Founded in 1994, Metro Data, Inc. is a leading information systems & services firm that works exclusively with business clients to develop and apply customized technology solutions that accomplish a client's strategic goals.

Businesses have chosen Metro Data, Inc. to help keep pace with the ever-changing technology landscape.  Metro Data, Inc.’s "end-to-end" experience helps their customers to secure their systems, reduce costs, and improve their business information systems performance.