[Security-news] SA-CONTRIB-2009-095 - Smartqueue OG - Access Bypass

security-news at drupal.org security-news at drupal.org
Wed Nov 4 20:06:07 UTC 2009


  * Advisory ID: SA-CONTRIB-2009-095
  * Project: Smartqueues for Organic Groups (smartqueue_og) (third-party
    module)
  * Version: 6.x
  * Date: 2009 November 4
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass

-------- DESCRIPTION  
---------------------------------------------------------

The Smartqueue_og [1] module uses Nodequeue's Smartqueue API to provide a
Nodequeue [2] for organic groups which is editable by members of that group
or the group's administrators. Users with the "administer nodequeue"
permission have the option to batch create subqueues (individual instances of
a queue) for all eligible organic group nodes. For each subqueue that is
created, a confirmation message is displayed containing the name of the
organic group. The displayed message does not check that the current user has
permission to view the group node. A similar message is also displayed when
an eligible group node is submitted. Smartqueue_og users should also note:
Subqueue titles contain the title of the organic group node to which the
subqueue is related. Users with the 'manipulate all queues' or 'manipulate
all og queues' permissions will be able to view all smartqueue_og subqueue
titles, and therefore the node titles of all groups that have a subqueue,
regardless of node access restrictions. This is by design and is not changed
in the latest version.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Smartqueue_og module for Drupal 6.x prior to Smartqueue_og 6.x-1.0-rc3 [3]
  * Smartqueue_og module for Drupal 5.x prior to Smartqueue_og 5.x-1.3 [4]

Drupal core is not affected. If you do not use the contributed Smartqueue_og
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version.
  * If you use the Smartqueue_og module for Drupal 6.x upgrade to
    Smartqueue_og module 6.x-1.0-rc3 [5]
  * If you use the Smartqueue_og module for Drupal 5.x upgrade to
    Smartqueue_og module 5.x-1.3 [6].

See also the Smartqueue_og [7] module project page.
-------- REPORTED BY  
---------------------------------------------------------

  * Ezra Barnett Gildesgame [8], the module maintainer.

-------- FIXED BY  
------------------------------------------------------------

  * Ezra Barnett Gildesgame [9], the module maintainer.

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org [10] or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/smartqueue_og
[2] http://drupal.org/project/nodequeue
[3] http://drupal.org/node/617496
[4] http://drupal.org/node/617500
[5] http://drupal.org/node/617496
[6] http://drupal.org/node/617500
[7] http://drupal.org/project/smartqueue_og
[8] http://drupal.org/user/69959
[9] http://drupal.org/user/69959
[10] mailto:security at drupal.org



More information about the Security-news mailing list