Description
The Ajax Blocks module loads dynamic blocks on cached pages for anonymous users by performing AJAX requests. The module allows administrators to configure which blocks should be loaded via AJAX to improve performance while maintaining dynamic content.
The module doesn't properly validate that blocks are enabled in Drupal's block system before serving their content through the AJAX endpoint. The function was checking block permissions and role access but failed to verify that the blocks were actually enabled and assigned to valid regions in the block configuration.
This vulnerability is mitigated by the requirement for administrative access to configure AJAX blocks, and the fact that the vulnerability only affects blocks that have been explicitly configured for AJAX loading. However, it could allow unauthorized access to content from blocks that administrators intended to be disabled or hidden from view.
Solution
Install the latest version.
If you use the Ajax Blocks module for Drupal 7, upgrade to Ajax Blocks 7.x-1.5:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Greg Knaddison (greggles)
- Tag1 D7ES