Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2011-004
- Projects: Multiple third party modules - OG Forum, Open Legislation, PowerSQL
- Version: 6.x
- Date: 2011-February-02
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple (Information disclosure, Cross Site Scripting, Cross Site Request Forgery, SQL injection)
Versions affected and proposed solutions
- OG Forum for Drupal 6.x
- OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership.
OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming public via Cross Site Request Forgeries (CSRF). Additionally, OG Forum stores private group and forum information in a global vocabulary, which can lead to information such as group and forum names being disclosed to members not part of the private group.
Solution: Disable the module. There is no safe version of the module to use.
- Open Legislation for Drupal 6.x
- This module provides integation for OpenLegislation, the open legislation database and web service of the New York State Senate.
The module is vulnerable to a Cross Site Scripting (XSS) attack via content consumed from remote web services.
Solution: Disable the module. There is no safe version of the module to use.
- PowerSQL for Drupal 6.x
- This module provides implements additional database API functions which are not secure. Use of this module may make your site vulnerable to a SQL Injection attack
Solution: Disable the module. There is no safe version of the module to use.
Drupal core is not affected. If you do not use any of the module releases above there is nothing you need to do.
Ongoing Maintenance of these modules
If you are interested in taking over maintenance of a module, or branch of a module, that is no longer supported, and are capable of fixing security vulnerabilities, you may apply to do so using the abandoned project takeover process.
Reported by
- OG Forum issues:
- Open Legislation issue reported by Stéphane Corlosquet of the Drupal Security Team
- PowerSQL issue reported by Jakub Suchy of the Drupal Security Team
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.
