SA-CONTRIB-2011-047 - OG Features access bypass - Security-news

5 Oct 2011


      * Advisory ID: DRUPAL-SA-CONTRIB-2011-047
  * Project: OG Features [1] (third-party module)
  * Version: 6.x
  * Date: 2011-October-05
  * Security risk: Highly critical [2]
  * Exploitable from: Remote
  * Vulnerability: Access bypass
-------- DESCRIPTION  
---------------------------------------------------------
OG Features provides a mechanism for groups to enable or disable certain
bundles of functionality, of features, within the groups they administer. The
module is able to turn components on and off within given groups by
overriding the access callbacks of every menu item, and checking conditions
before passing it off to the original access callback.
When local task menu items are declared in hook_menu(), they often exclude an
access callback and access arguments, leaving it to be inherited by the
parent path. OG Features did not check for this condition, and thus granted
access to many pages that contained local tasks, regardless of roles or
permissions. Because of this, many administration pages are left open to
users, both anonymous and not, giving them control over the site.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* OG Features 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed OG Features
[3] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
* If you use the OG Features module for Drupal 6.x, upgrade to OG Features
    6.x-1.2 [4]
See also the OG Features [5] project page.
-------- REPORTED BY  
---------------------------------------------------------
* Imad Nabli [6]
-------- FIXED BY  
------------------------------------------------------------
* Mike Stefanello [7] the module maintainer
-------- COORDINATED BY  
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION  
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
[1] http://drupal.org/project/og_features
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/og_features
[4] http://drupal.org/node/1300644
[5] http://drupal.org/project/og_features
[6] http://drupal.org/user/1489142
[7] http://drupal.org/user/107190
[8] http://drupal.org/user/36762
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration