SA-CONTRIB-2009-066 - Organic Groups - Cross Site Scripting - Security-news

30 Sep 2009


      * Advisory ID: DRUPAL-SA-CONTRIB-2009-066
  * Project: Organic Groups (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-September-30
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting
-------- DESCRIPTION  
---------------------------------------------------------
The Organic Groups (OG) module provides a way to organize users and content
into groups. When displaying group nodes, the module does not properly
sanitize all user-entered text, leading to a cross-site scripting (XSS [1])
vulnerability. Users with permission to create or edit groups nodes (which
may be any node types assigned by the site administrator) may carry out the
attack. Such an attack may lead to a malicious user gaining full
administrative access.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Organic Groups 6.x-1.x prior to 6.x-1.4
  * Organic Groups 5.x-8.x prior to 5.x-8.1
  * Organic Groups 5.x-7.x prior to 5.x-7.4
  * Organic Groups 6.x-2.0 existing release is not affected.
Drupal core is not affected. If you do not use the contributed Organic Groups
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Organic Groups for Drupal 6.x-1.x upgrade to OG 6.x-1.4 [2]
  * If you use the Organic Groups for Drupal 5.x-8.x upgrade to OG 5.x-8.1 [3]
  * If you use the Organic Groups for Drupal 5.x-7.x upgrade to OG 5.x-7.4 [4]
See also the Organic Groups module project page [5].
-------- REPORTED BY  
---------------------------------------------------------
John Morahan [6] of the Drupal Security Team
-------- FIXED BY  
------------------------------------------------------------
John Morahan [7] and Derek Wright [8], both of the Drupal Security Team.
-------- CONTACT  
-------------------------------------------------------------
The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/node/592410
[3] http://drupal.org/node/592412
[4] http://drupal.org/node/592414
[5] http://drupal.org/project/og
[6] http://drupal.org/user/58170
[7] http://drupal.org/user/58170
[8] http://drupal.org/user/46549