Rather than attribute the discovery to the blackhat who originally posted it, I will simply repost this report originally posted the full-disclosure mailing list a couple hours ago. I guess the 6.x was probably pulled just now for this very reason, but I don't see an issue, so here it is:

The OG Menu module contains a cross site scripting
(XSS) vulnerability due to the fact that it fails to sanitize menu
descriptions before display.

Systems affected:
- -----------------
Drupal 6.16 with OG Menu 6.x-2.0 was tested and shown to be vulnerable

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- -------------------
In order to execute the proof of concept described below malicious users
must have 'Administer og menu' permission.

Proof of Concept:
- -----------------
1. Install Drupal 6.16, Organic Groups module and OG Menu module
2. Create or view a piece of content in an organic group
3. Click on the 'Menu' link to view ?q=node/XX/og_menu where XX is the
node id
4. Click the 'Add Menu' link to view ?q=node/XX/og_menu/add
5. Fill in arbitrary values for the 'Menu name' and 'Title', enter
"

alert('xss');

" in the 'Description' text area
6. Click the 'Save' button
7. View the menu at ?q=node/13/og_menu/ to observe the JavaScript alert

Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 6.x-2.0

- --- og_menu/og_menu.module 2010-02-09 07:33:31.000000000 -0500
+++ og_menu/og_menu.module 2010-05-06 13:26:44.080266269 -0400
@@ -333,6 +333,7 @@ function og_menu_overview_page($node) {
while ($menu = db_fetch_array($result)) {
$menu['href'] = 'node/'. $node->nid .'/og_menu/'. $menu['menu_name'];
$menu['localized_options'] = array();
+ $menu['description'] = check_plain($menu['description']);
$content[] = $menu;
}
return theme('admin_block_content', $content);

Vendor Response:
- ----------------
Module has been unpublished per SA-CONTRIB-2010-073.

CommentFileSizeAuthor
#4 og-menu-xss.patch1.18 KBjide

Comments

geerlingguy’s picture

geerlingguy commented

Subscribe - this module provides an essential feature on a few of my sites... looking forward to patch being implemented (although this vulnerability won't be a problem on my site, as I'm the only user with the administer permission...).

endiku’s picture

endiku commented

An important module that isn't easily replaced. Glad to see things being patched. As was said, if you manage your permissions carefully it isn't always a real security issue depending on the situation.

bonobo’s picture

bonobo commented

We ave requested maintainership of this at #858622: Requesting maintainership of OG Menu

jide’s picture

jide commented
StatusFileSize
new og-menu-xss.patch1.18 KB

@all : I am still the maintainer of the module and I sent a patch to fix the issue. Moreover, the proposed patch does not fix the issue completely, the og_menu_get_menus() method also needs to be fixed. Here is the patch I sent to the security team, I am still waiting for an answer.

heine’s picture

heine commented

Rather than attribute the discovery to the blackhat who originally posted it

That is not true or fair; Justin informed the Drupal security team and did not disclose until after SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules was published.

The module was unpublished because the maintainer was not able to solve the issue.

marcp’s picture

marcp commented

Thanks, jide - if you need any help with maintaining the module please feel free to contact me or jgraham.

matt2000’s picture

matt2000 commented

@jide

Since the issue is now public, you're free to commit your patch when you're confident that the issue has been addressed. When you're ready to roll a new release, you can mark it as a security release, and then notify security@drupal.org, and the security team will coordinate with you to publish the new release.

bonobo’s picture

bonobo commented

@jide - any timeline on getting a new 6.x release out? As marcp indicates in #6, please let us know if you'd like a hand.

jide’s picture

jide commented

I committed my patch to HEAD. Would be great if security team could have a look and confirm it's all good. Once this is done, I'll correct those two issues (#793854: og_menu inadvertently implements hook_get_menus() and #754900: OG Menu names that start with menu- don't get associated with the group) and add folks from funnymonkey as comaintainers.

funknut’s picture

funknut commented

That is not true or fair; Justin informed the Drupal security team

Oh, my mistake. I thought that the issue queue was the proper place for bug reports. I wonder if the maintainer would find it easier to fix if someone had posted an issue here before the disclosure.

ianchan’s picture

ianchan commented

subscribe

dgautsch’s picture

dgautsch commented

subscribe

bonobo’s picture

bonobo commented

@funknut - see http://drupal.org/node/101494 for instructions on reporting a security issue. From that page:

If you discover a vulnerability in Drupal core or contributed module, keep it confidential. Mail us at security@drupal.org, do not post in the issue tracker.

butler360’s picture

butler360 commented

Subscribing.

jide’s picture

jide commented
Status: Active » Fixed

Security team has published the security release, so OG Menu is back !
I'll come back later for bug fixes and new co-maintainers.

marcp’s picture

marcp commented

Thank you, jide, for taking care of this!

bonobo’s picture

bonobo commented

w00t!

Nice work, jide!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.