Offering to maintain OG Forum

Im in shock too, I was planning a Videogame community site with OG and OG_Forum....

Im java developer but I have null Experiencie with PHP and I cant offer myself to fix the vulnerabilities discovered by th security team.

Please someone fix it...

OG_FORUMs FTW :)

subscribing

subscribing

I just want remind to the process for taking over abandoned projects with security issues:

If you wish to take over a project that is abandoned for security reasons, post a patch to the project's issue queue which addresses the vulnerability and reference that patch in your request to take over the project.

So we need a patch first and I'm also interested in getting a secure version again. But I don't want obtrude me on taking over this project. ;-) So if pumpkinkid is ready it would be a pleasure! I can help to review, write and evolve the patch.

OG Forum updates public/private status direct over a HTTP Request (Link in the Admin UI) ...
Therefore I can send you a mail or redirect a URL of my server to a special prepared link (with the exact IDs) to get the forum accessible for the public. A good solution you can find in OG itself http://example.com/og/users/1 when giving membership or revoke it to/from a user.

+1

subscribe

I'd be happy to help on this in any way I can. I'm not an expert on PHP security, but I do have some experience, and would be happy to assist pumpkinkid or anyone else working on this with testing or anything else you'd like me to do. I'll be looking over the module code as well...

Wow this is a shock. I really hope we can get a fix together. This module is a must for almost all my client sites as well... :\

Hi

I'm interesting in this module too.
At this time I'm using the 6.x1.4 version since the 6.x-2x prevent the user to create posting if the forum is mixed in organic group forums and general forums.
Unfortunatelly I have little PHP skils so cannot provide many help, but i would test the new version.

PS: It's really sad that the maintainer paul booker given up this project... very very bad...

subscribe

Subscribing!

Subscribe!
@Drake: I've posted a patch for 2.x-dev fixing (maube it still needs some test) the issue with OG.

@crifi: maybe adding a FORM to edit such private/public visibility could be the solution. Could you point me to the right code line? I'll work on that issue ASAP.

ps: I'd like to help in co-maintaining this module too.

@thePanz
You mean this patch?
http://drupal.org/files/issues/og_forum-651672-67.patch
I will test it imadiatelly and will share my experience with that...

@Drake: yep! waiting for your comments on the issue thread!

+1

We are actively developing a site that relies on og_forum and can very likely contribute some coding hours if needed.

subscribing

I've written a fix for the CSRF. Since this issue here is a "offering maintain" request I've opened a new issue here: #1055424: SA-CONTRIB-2011-004. Please help and review the patch, thanks!

@thePanz
I've checked the newest 6.x-2x-dev and your patch was already included.
Then I replaced the v6.14 with 6.x-2x-dev and have some problems.

1) I created every forum through the "OG_forum create" option which can be found in the og_group detail block.
I did it using the 6.x-1.4 version.
My forum path to a single forum was; mysite/forum/container/og_forum1
Now using 6.x-2x-dev, the forums in group has an path: mysite/og/container/og/forum
The page mysite/og/container/og/forum shows all the forums in the single group but if I try to access the particular forum in the group (path: mysite/forum/container/og_forum1) then the forum cannot be accessed... the whole page freezes and crashes...

2) If I access the Forum from main page mysite/forum then all forums (og forums) are visible and listed but if I try to access any forum (path: mysite/forum/container/og_forum1) then the page freezes and crashes again....

I think this is caused by 'wrong' forum links... i think this has been changed in 6.x-2x-dev

PS: I use forum access module too...

Unfortunatelly, i cannot delete all the forums and cannot create it again becasue all my posting would be lost and could not be assigned again to the single group forums.

@Drake: I can confirm the crash. Please refer to the issue #1056428: Apache crash when visiting forum/TID I've just opened (with solution).

@thePanz
I tested the new patch and it works!!!
Thenks to all you efforts!
It's great to see that there are people who want get this module working and keep developing on this module.

Now I'm using the og_forums 6.x-2x-dev in connection with advanced_forum-6.x-2.0-alpha3 and forum_access-6.x-1.5 and it seems to work!

Great work.... now we need only an patch to get the og_forums secured!

subscribe

So nice to see people coming to the aid of a great mod. I'll do whatever I can (not a php wiz) to help keep it alive. Maybe sponsor some code to get the bugs out?

subscribing

subscribing

Happy to test once a fix is in the dev version. Thanks.

subscribing...

Thanks for all the great work guys. I was updating modules on my site tonight and went into a complete panic when I saw the message on my updates report page. Seeing this thread has made me feel much better. :)

subscribing

Sub

Subscribing. Would love to help, but I'm spread far too thinly already.

Subscribing

Please guys, if you really want to help and you have the skills don't only subscribe to this issue or offer your help here. Go to #1055424: SA-CONTRIB-2011-004 instead and help to complete the patch there! Otherwise we will have this situation: http://www.corsinet.com/braincandy/hlife.html ;-)

subscribe

subscribing

subscribing

Please let pumpkinkid take over the support of OG forum!

Subscribing - really want to see tgus module working again :)

I've given up this module... have replaced this OG-forum using a solution: views, taxonomy

Has pumpkinkid been given this project to maintain?

The project page is http://drupal.org/project/og_forum.

Has anybody of the security team been contacted about the module?

Lets hope we can move on soon then

how sad.