Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.in http://drupal.org/project/og_rsvp (6.x)
global $user;
// some lines of code
foreach ($attendees as $my_uid)
{
$user = user_load($my_uid);
}
There is also an XSS waiting to happen in a sibling module maintained by the same developer: http://drupal.org/project/og_titles
drupal_set_message('error: gid is not numeric: '.$node.' or '.arg(2));
it does not seem to be exploitable since this line cannot be executed due the code path, but the maintainer surely needs some education on XSS.
Comments
Comment #1
scor commentedfrom Jakub Suchy
> I don't see this anywhere in revision 1.1.2.1 (drupal-6--1) or in head.
>
> global $user is only used in functions: og_rsvp_rsvp_access,
> og_rsvp_rsvp, og_rsvp_rsvp_submit. None of which modify $user.
>
> Is the local $user variable in _og_rsvp_update or og_rsvp_og inheriting
> something? Because those functions don't have a global $user defined.
>
> http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/og_rsvp/og_...
>
It's seems that you have removed that in the last commit.
Can you also please check og_rsvp_mail() function? You are using !tokens
and injecting stuff like node title into them - that might actually
cause XSS - it's in mail so it might not be a big problem, but it's
better to fix anyway