SA-CONTRIB-2009-095 - Smartqueue OG - Access Bypass

By Drupal Security Team on 4 Nov 2009 at 20:02 UTC

Advisory ID: SA-CONTRIB-2009-095
Project: Smartqueues for Organic Groups (smartqueue_og) (third-party module)
Version: 6.x
Date: 2009 November 4
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass

Description

The Smartqueue_og module uses Nodequeue's Smartqueue API to provide a Nodequeue for organic groups which is editable by members of that group or the group's administrators. Users with the "administer nodequeue" permission have the option to batch create subqueues (individual instances of a queue) for all eligible organic group nodes. For each subqueue that is created, a confirmation message is displayed containing the name of the organic group. The displayed message does not check that the current user has permission to view the group node. A similar message is also displayed when an eligible group node is submitted.

Smartqueue_og users should also note:

Subqueue titles contain the title of the organic group node to which the subqueue is related. Users with the 'manipulate all queues' or 'manipulate all og queues' permissions will be able to view all smartqueue_og subqueue titles, and therefore the node titles of all groups that have a subqueue, regardless of node access restrictions.

This is by design and is not changed in the latest version.

Versions affected

Smartqueue_og module for Drupal 6.x prior to Smartqueue_og 6.x-1.0-rc3
Smartqueue_og module for Drupal 5.x prior to Smartqueue_og 5.x-1.3

Drupal core is not affected. If you do not use the contributed Smartqueue_og module, there is nothing you need to do.

Solution

Install the latest version.

If you use the Smartqueue_og module for Drupal 6.x upgrade to Smartqueue_og module 6.x-1.0-rc3
If you use the Smartqueue_og module for Drupal 5.x upgrade to Smartqueue_og module 5.x-1.3.

See also the Smartqueue_og module project page.