[Mifos-issues] [JIRA Studio] Created: (MIFOSADMIN-327) Drupal module OG Forum has a security vulnerability and is no longer supported

Tue, 15 Feb 2011 08:00:23 -0800 

Drupal module OG Forum has a security vulnerability and is no longer supported
------------------------------------------------------------------------------

                 Key: MIFOSADMIN-327
                 URL: http://mifosforge.jira.com/browse/MIFOSADMIN-327
             Project: mifos administration
          Issue Type: Bug
            Reporter: Keith Pierce


Mifos.org uses module [OG Forum|http://drupal.org/project/og_forum] to support 
group discussions. The [Drupal support site recently 
announced|http://drupal.org/node/1048906] that the module has a security 
exposure, that this module will no longer be supported, and that sites should 
disable it. They explained that no one is actively maintaining the module in 
order to fix the exposure.

The exposure is described as:

{quote}
OG Forum does not properly implement access controls on private forums it 
creates, which can lead to a private group's forums becoming public via Cross 
Site Request Forgeries (CSRF). Additionally, OG Forum stores private group and 
forum information in a global vocabulary, which can lead to information such as 
group and forum names being disclosed to members not part of the private group.
{quote}

If we follow this recommendation, the site would have to abandon all group 
forums. Currently the site manages the forums listed below:

* East India: 62 members
* East Africa: 40 members
* West Africa: 31 members
* United States: 4 members
* Latin America: 2 members
* Southeast Asia: 1 member
* MENA: 1 member
* questjond: 0 members

h3. Recommendation:

Do not disable this module. Although the forum traffic is quite low and 
consists in large part of spam messages, it would not look good for us to 
abandon what little serious discussion goes on here. The exposure seems minor. 
Moreover, some developers have volunteered to fix the exposure, so there should 
be a fix forthcoming soon.


-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to