Posted by scor on September 11, 2009 at 10:03am
1 follower
Jump to:
| Project: | OG RSVP |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
in http://drupal.org/project/og_rsvp (6.x)
<?php
global $user;
// some lines of code
foreach ($attendees as $my_uid)
{
$user = user_load($my_uid);
}
?>There is also an XSS waiting to happen in a sibling module maintained by the same developer: http://drupal.org/project/og_titles
<?php
drupal_set_message('error: gid is not numeric: '.$node.' or '.arg(2));
?>it does not seem to be exploitable since this line cannot be executed due the code path, but the maintainer surely needs some education on XSS.
Comments
#1
from Jakub Suchy
> I don't see this anywhere in revision 1.1.2.1 (drupal-6--1) or in head.
>
> global $user is only used in functions: og_rsvp_rsvp_access,
> og_rsvp_rsvp, og_rsvp_rsvp_submit. None of which modify $user.
>
> Is the local $user variable in _og_rsvp_update or og_rsvp_og inheriting
> something? Because those functions don't have a global $user defined.
>
> http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/og_rsvp/og_...
>
It's seems that you have removed that in the last commit.
Can you also please check og_rsvp_mail() function? You are using !tokens
and injecting stuff like node title into them - that might actually
cause XSS - it's in mail so it might not be a big problem, but it's
better to fix anyway