- Advisory ID: DRUPAL-SA-2008-040
- Project: Organic Groups (third-party module)
- Versions: 5.x and 6.x
- Date: 2008-July-02
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting and information disclosure
Organic groups enables users to create and manage their own 'groups'. Each group can be subscribed to, and includes a group home page where subscribers can communicate amongst themselves. Two vulnerabilities were found in the module.
Cross site scripting
The module displays certain values without appropriate filtering. Malicious group owners are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting (XSS) attack may lead to administrator access for the malicious user.
- Audience check boxes must be disabled (enabled by default).
- Site must allow untrusted users to create groups.
- Malicious group owner must convince others to join his group.
- Users may be attacked if they try to start a new discussion in the group (not a comment).
Malicious users may discover the title of private groups. Other group details and the contents of private posts are not compromised.
- OG Access module must be enabled.
- Site must use the private groups feature.
- Versions of Organic groups for Drupal 5.x prior to 5.x-7.3
- Versions of Organic groups for Drupal 6.x prior to 6.x-1.0-RC1
Drupal core is not affected. If you do not use the Organic groups module, there is nothing you need to do.
Install the latest version and run update.php:
- If you use Organic groups for Drupal 5.x upgrade to Organic groups 5.x-7.3
- If you use Organic groups for Drupal 6.x upgrade to Organic groups 6.x-1.0-RC1
Also see the Organic groups project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.