SA-CONTRIB-2011-047 - OG Features access bypass

• Advisory ID: DRUPAL-SA-CONTRIB-2011-047
• Project: OG Features (third-party module)
• Version: 6.x
• Date: 2011-October-05
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Access bypass

Description

OG Features provides a mechanism for groups to enable or disable certain bundles of functionality, of features, within the groups they administer. The module is able to turn components on and off within given groups by overriding the access callbacks of every menu item, and checking conditions before passing it off to the original access callback.

When local task menu items are declared in hook_menu(), they often exclude an access callback and access arguments, leaving it to be inherited by the parent path. OG Features did not check for this condition, and thus granted access to many pages that contained local tasks, regardless of roles or permissions. Because of this, many administration pages are left open to users, both anonymous and not, giving them control over the site.

Versions affected

• OG Features 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed OG Features module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the OG Features module for Drupal 6.x, upgrade to OG Features 6.x-1.2

See also the OG Features project page.

Reported by

• Imad Nabli
• Ezra Glidesgame

Fixed by

• Mike Stefanello the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.