There are multiple ways the 'administer actions' permission could be abused to gain control of a site. Example STR:
1. As user with 'administer actions' permission go to /admin/config/system/actions
2. Create an advanced action: "Add a role to the selected users..."
3. Choose the administrator role and make up a deceptive label. Something like 'Prevent user from placing spam comments"
4. trick the admin into performing that action on your account through the 'mass mutation' option on the people overview.
From the Drupal 8 security bug bounty
https://tracker.bugcrowd.com/submissions/71023cebc6c19161ed8bb4a0dbee8ae...
credit to https://www.drupal.org/u/JvE
Marking this as a security improvement since it's an indirect attack vs. a direct XSS or other security hole.
Comment | File | Size | Author |
---|---|---|---|
#1 | 2512820-1.patch | 322 bytes | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin at Acquia commentedComment #2
pwolanin CreditAttribution: pwolanin at Acquia commentedComment #3
googletorp CreditAttribution: googletorp as a volunteer commentedLooks good.
Comment #4
alexpottCommitted aa6ef07 and pushed to 8.0.x. Thanks!