Fix SA-CONTRIB-2012-068 and create a new release

Yeah, that's a bit confusing...

Eric

That node - http://drupal.org/node/1557852 - is now available..

Wish it had more useful info...

Eric

Another note - I see where in node_gallery.pages.inc the call to drupal_add_js seems to have the same issue as the patch listed in http://drupal.org/node/1515240

Look for

drupal_add_js(array('node_gallery' => $settings), 'setting');

I'm not sure the fix would be the same but its a clue at least.

Eric

I was indeed notified by the security team of the CSRF, as were all the maintainers. I responded that I don't have the resources to fix the problem -- I haven't written PHP for almost a year now, and don't have a Drupal install to test with.

I've been looking for maintainers for almost a year now, and no one has stepped up. If someone does want to, even if it's just to fix this security issue, let me know. I'm pretty sure I'm not at liberty to disclose the specifics of the vulnerability, but it's listed at https://security.drupal.org/node/71469. Anyone interested in fixing the issue can contact the security team to get access to view that node.

Sorry everyone, but life sometimes takes you in different directions. It kills me to see this module go unsupported, but it's just not reasonable for me to fix this.

I'd be willing to try to do a fix for the security issue assuming its not massively complicated, but I don't know that I have the resources to fully maintain the module...

Eric

I'd be willing to help try and fix it, and possibly to be a co-maintainer if there were others interested in being co-maintainers as well. I use this module on enough different sites right now that I have a strong interest in seeing it stay alive. I can't do it all on my own, but I could be part of a team (preferably with people who have more module development experience than I have, since I have very little, though I do have a fair bit of PHP experience in general). If anyone else is interested, please feel free to contact me.

Also, do I understand correctly that this vulnerability only really applies if untrusted users are allowed to create galleries? If no one but the admin has the ability to create node galleries, is it still an issue?

I know it needs to be fixed either way if the module is to continue - I'm just trying to figure out if this vulnerability actually puts any of my sites at risk. On all of them, only the admin can create galleries.

I'm going to catch up with @greggles later today in IRC and see what I can do to get @aitala the details he'd need to fix the problem.

Hey there. Sorry about the link pointing to the wrong issue - that was a copy paste mistake :/ Fixed now.

@spidersilk - CSRF is not just about permissions. It's about tricking someone into doing something they didn't intend to do. There's more on the topic, including how to fix it, at http://drupalscout.com/tags/csrf

The SA is purposefully a bit vague because we don't want to reveal the specific details of the problem just yet.

Anyone wanting to fix the problem should just email security@drupal.org and request access to https://security.drupal.org/node/71469. Given @greggles' link above, and the fact from the advisory that states "does not protect a CSRF attack when creating node galleries", you can probably track down where the problem is at.

Some caveats on Justin's comment in #9. We need people willing to become the new maintainer. Ideally you should be familiar with how to exploit and fix CSRF - if you don't know what that is, read up on http://drupalscout.com/tags/csrf and the articles linked on https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

You should have at least created a git sandbox on drupal.org to get familiar with how git and project creation works.

I am working on setting up a test environment to figure out a fix to the security issue - if anyone would like to help, please let me know.

Any assistance would be useful as I'm not entirely sure I have all the skills required or the available time...

It does appear that if the ability to create galleries is disabled, that a site should be safe from CSRF...

Eric

I have created a patch to fix this issue, and I'm willing to become the maintainer of this module. (I would appreciate help if anyone wants to co-maintain.)

I'm not going to attach the patch because would obviously disclose the details of the exploit. I'll message @greggles and see what the next step is.

Nice to see someone is working on this, my knowledge is not enough to help, anyway i really hope this module is kept alive

zengenuity is now the maintainer of the module. Changing this issue to be about fixing the SA and making a release so it can be moved to "fixed" once zengenuity has done that. Thanks to zengenuity also to aitala for helping test the patch.

@zengenuity thanks so much. While I don't have the resources to write any code, I'll do my best to be available to you for questions about design decisions made, etc. I'm at a conference all week, but if you send me a note via my contact form, I'll link up with you next week and share some contact info. Thanks!

I released version 6.x-3.2, and the update feed has refreshed. Everyone should now get a security notice to update, but not the unsupported notice that was there before.

zengenuity, thanks a lot to you!

Note that when you fix something the best Status is "fixed." This leaves it visible in the queue for two weeks at which point it gets automatically closed by an automated process.

Leaving it in the queue makes it visible to people who may be looking for the same issue and helps prevent duplicate issues.

Many thanks, Zengenuity!