====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN166
____________________________________________________________________

DATE                : 29/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Organic Groups for DRUPAL
                        versions 6.x-2.x prior to 6.x-2.3.

======================================================================
http://drupal.org/node/1507446
______________________________________________________________________

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass
Posted by Drupal Security Team on March 28, 2012 at 7:47pm

    * Advisory ID: DRUPAL-SA-CONTRIB-2012-053
    * Project: Organic groups (third-party module)
    * Version: 6.x
    * Date: 2012-March-28
    * Security risk: Moderately critical
    * Exploitable from: Remote
    * Vulnerability: Access bypass

Description

Organic groups (OG) enables users to create and manage their own 'groups'.
Each group can have subscribers, and maintains a group home page where
subscribers communicate amongst themselves.

The module's Views integration does not filter out information from
display groups to which the current user does not have access, exposing
private group titles and the fact that the content is associated with the
group.


Versions affected

    * Organic Groups 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Organic
groups module, there is nothing you need to do.


Solution

Install the latest version:

    * If you use the Organic Groups module for Drupal 6.x, upgrade to
Organic Groups 6.x-2.3

Also see the Organic groups project page.


Reported by

    * John f Galvin

Fixed by

    * Adam Ross the module maintainer

Coordinated by

    * Ben Jeavons of the Drupal Security Team
    * Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via
the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.


Categories: Drupal 6.x


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================