* Advisory ID: DRUPAL-SA-CONTRIB-2011-050 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2011-October-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG has an API function to check access to an entity which is in a group "context". When the entity isn't in a group context, OG takes a permissive approach and allows access to the entity. Implementing modules such as Profile2 that try to check access on a non group/group content might result in access bypass -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 7.x, upgrade to Organic Groups 7.x-1.2 [4] See also the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * Matthias Hutterer (mh86) [6] -------- FIXED BY ------------------------------------------------------------ * Wolfgang Ziegler (fago) [7] * Amitai Burstein (Amitaibu) [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1322344 [5] http://drupal.org/project/og [6] http://drupal.org/user/59747 [7] http://drupal.org/user/16747 [8] http://drupal.org/user/57511 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration