User has extra roles assigned after submitting password

I haven't seen this but sounds like a serious problem.

I suspect you may have already been logged in as an administrator when you followed the brief login link. Is that possible?

Can you reproduce this consistently? If so, can you replace /brief with /orig and let me know if that makes the problem go away?

Make that /original, rather than /orig.

I tried to reproduce but couldn't. So if you can make it happen again, please let me know.

I did notice that when logged in as user/1, the form is shown. When it shouldn't be shown to anyone logged in. Not sure what's going on there.

I still wasn't able to reproduce this, but I suspect I know the cause.

Should be fixed in 1.3 release, but please confirm if possible. Thanks for the report.

The /brief is not appended automatically. It's only there if you edit the email template. Whether it's there or not, the user shouldn't be getting extra roles.

Have you tried disabling the module? Could be this has nothing to do with simple password reset. If it doesn't happen when the module is disabled, how about when you manually type /original at the end of the password reset url?

I can confirm that this is a bug with this module (and still exists in 7.x.1-3). When it is enabled, new users are assigned all of the roles on my site. When it is disabled, they are simply assigned the authorized user role. This is obviously a huge security risk, as users are given roles with permissions they should not have.

I'm also using the Login Toboggan module, in case it may be a conflict with that.

Changing priority to critical to reflect the security implications of users being assigned all roles.

I'm still experiencing this problem using the 7.x-1.x-dev version, which appears to incorporate the patch from #3.

Note: I'm also using the Remember Me module, and just discovered this conflict between that module and Password Reset Landing Page that seems to result in the same problem being reported here #2081989: Combination of PRLP and Remember Me give administrator access after password reset.

Can you do me a favor and try to narrow it down? Try disabling those modules. same problem?

If not, enable the modules one at a time to narrow down the culprit. What you've written makes me suspect the problem is in one of those modules.

I just want to also throw in the fact that I have experienced this bug as well. I too am running "Remember Me" and will perform a quick differential test. I will post shortly to notify you as to the result.

On a separate note, is there any way to flag a module as security compromised and in need of repair? This issue gave administrator access to unintended users thus creating a catastrophic security issue. It was caught in time; however, I am sure that the Drupal security group would want to be able to contain these issues.

I have done some differential testing. This IS a result of a combination of the Remember Me module and this Simple Password Reset module. One key is that the modules must be enabled in the 'correct' order in order to cause this issue.

1. Enable Simple Password Rest module.
2. Enable Remember Me module.
3. Create a new user and check "Notify user of new account" before submitting.
4. Click on new account email link. You will be taken straight to the Reset Password page. Notice that the time zone is also not pre-set as it should be.
5. Change password and submit.
6. Notice that you are now an Administrator! Review of the new user record shows that EVERY role is checked.
7. Clean up your resume (just kidding, mostly).

I've pushed a release 1.4 specifically to address this issue. While it could be argued the bug lies with Drupal core, or remember_me.module, it seems like getting a fix out ASAP makes sense. So I committed something even without much review.

Please apply the patch below or upgrade to 1.4 release. And please let me know if the problem is not completely resolved. Thanks.

Index: simple_pass_reset.module
===================================================================
--- simple_pass_reset.module    (revision 5950)
+++ simple_pass_reset.module    (working copy)
@@ -134,6 +134,11 @@
  */
 function simple_pass_reset_pass_reset_submit($form, &$form_state) {
   if (!user_is_logged_in()) { // Sanity check.
+    // Remove roles that were disabled in the form. Normally user_module will array_filter() these out for us.  But remember_me and possibly other modules have bugs that might prevent user.module from doing that.
+    if (!empty($form_state['user']->roles)) {
+      $form_state['user']->roles = array_filter($form_state['user']->roles);
+    }
+
     // This logic copied from user_pass_reset().
     $account = $form_state['user'];
     $GLOBALS['user'] = $form_state['user'];

We ran into this on a site (user was assigned all roles, including administrator upon resetting password) and traced it to a combination of the remember_me and simple_password_reset module.

When I came to report it, I saw this commit... but it still seems a bit unsafe to take the user object from the form and assign it to the user global if it may have been modified by another module (even if the "fault" is with the other module).

This is the fix that we implemented in simple_pass_reset_pass_reset_submit():

    global $user;
    $account = user_load($form_state['user']->uid);
    $user = $account;

user_pass_reset() uses similar logic

Also, was really surprised that there was not a security advisory on this issue.

I installed the latest (release 1.4). I enabled Remember Me first and then Simple Password Reset. I have not experienced this problem. You could try this to resolve your issue:

1. Disable both Remember Me and Simple Password Reset.
2. Uninstall both Remember Me and Simple Password Reset.
3. Reinstall/Enable Remember Me.
4. Install Simple Password Reset - release 1.4
5. Enable Simple Password Reset.