[
http://mifosforge.jira.com/browse/MIFOSADMIN-327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Pierce updated MIFOSADMIN-327:
------------------------------------
Labels: mifosorg (was: )
> Drupal module OG Forum has a security vulnerability and is no longer supported
> ------------------------------------------------------------------------------
>
> Key: MIFOSADMIN-327
> URL: http://mifosforge.jira.com/browse/MIFOSADMIN-327
> Project: mifos administration
> Issue Type: Bug
> Reporter: Keith Pierce
> Labels: mifosorg
>
> Mifos.org uses module [OG Forum|http://drupal.org/project/og_forum] to
> support group discussions. The [Drupal support site recently
> announced|http://drupal.org/node/1048906] that the module has a security
> exposure, that this module will no longer be supported, and that sites should
> disable it. They explained that no one is actively maintaining the module in
> order to fix the exposure.
> The exposure is described as:
> {quote}
> OG Forum does not properly implement access controls on private forums it
> creates, which can lead to a private group's forums becoming public via Cross
> Site Request Forgeries (CSRF). Additionally, OG Forum stores private group
> and forum information in a global vocabulary, which can lead to information
> such as group and forum names being disclosed to members not part of the
> private group.
> {quote}
> If we follow this recommendation, the site would have to abandon all group
> forums. Currently the site manages the forums listed below:
> * East India: 62 members
> * East Africa: 40 members
> * West Africa: 31 members
> * United States: 4 members
> * Latin America: 2 members
> * Southeast Asia: 1 member
> * MENA: 1 member
> * questjond: 0 members
> h3. Recommendation:
> Do not disable this module. Although the forum traffic is quite low and
> consists in large part of spam messages, it would not look good for us to
> abandon what little serious discussion goes on here. The exposure seems
> minor. Moreover, some developers have volunteered to fix the exposure, so
> there should be a fix forthcoming soon.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues
