====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN385
____________________________________________________________________

DATE                : 27/09/2012

HARDWARE PLATFORM(S): /


OPERATING SYSTEM(S) : Systems running Organic groups for Drupal
                        versions 7.x prior to 7.x-1.5.

======================================================================
http://drupal.org/node/1796036
______________________________________________________________________

SA-CONTRIB-2012-148 - OG - Access Bypass
Posted by Drupal Security Team on September 26, 2012 at 8:46pm

    Advisory ID: DRUPAL-SA-CONTRIB-2012-148
    Project: Organic groups (third-party module)
    Version: 7.x
    Date: 2012-September-26
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Access bypass

Description

OG (Organic groups) enables users to create and manage their own
'groups'. Each group can have subscribers, and maintains a group home
page where subscribers communicate amongst themselves. A group
membership can be given immediately upon subscribing, or be pending -
waiting for a group administrator to approve it.

OG doesn't properly maintain pending memberships if the user is allowed
to edit their own account.

In addition, under certain circumstances, a user was able to post to a
group which they were not a member of.

There are no additional mitigating factors for these issues.

CVE: Requested

Versions affected

    OG (Organic groups) 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Organic
groups module, there is nothing you need to do.


Solution

Install the latest version:

    If you use the OG 7.x-1.x module for Drupal 7.x, upgrade to OG
(Organic groups) 7.x-1.5

Also see the Organic groups project page.


Reported by

    Zoltán Tóth
    John Takousis

Fixed by

    Amitai Burstein the module maintainer

Coordinated by

    Lee Rowlands
    Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.


Categories: Drupal 7.x


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================