For the newly added newsletter for CVS account holders: http://drupal.org/maintainer-news
October 2008 Maintainer News Draft
Security team update
We recently released SA-2008-063 for multiple contributed modules. This was due to incorrect implementation of hook_menu in Drupal 6.
Incorrect:
'access callback' => user_access('administer nodes'),
This evaluates to TRUE
and leaves the page wide open to any user who might come across it.
Correct:
'access callback' => 'user_access',
'access arguments' => array('administer nodes'),
or even more simply: