• Advisory ID: DRUPAL-PSA-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-May-21
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

Description

This is a public service announcement regarding the "access site reports" permission (labeled as "View site reports" in the Drupal 7 administrative interface) provided by Drupal 6 and 7 core.

This permission allows users to see logs (for example, those provided by the core Database Logging module) and other reports via the administrative interface of a Drupal site. Due to the nature of the data logged by various core and contributed modules, users with this permission can see information in the logs that they otherwise may not have access to (for example, the titles of nodes that are restricted by node access).

As such:

  • This permission should be granted to trusted site administrators only. It is now listed as an advanced permission at https://drupal.org/security-advisory-policy, and a future release of Drupal 7 core will mark it as restricted on the permissions page as well.
  • Developers may freely use Drupal's watchdog() function to log relevant information about the actions they are performing (without worrying about minor information disclosure or access bypass issues). However, care should still be taken to only log what is necessary. For example, logging extremely sensitive information such as plain-text user passwords (see SA-CONTRIB-2010-091) would still be considered a security issue because plain-text passwords should never be saved or displayed anywhere on the site.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

All versions of Drupal 6 and Drupal 7 core.

Solution

Only grant trusted site administrators the "access site reports"/"View site reports" permission.

Also see the Drupal core project page.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity