The configuration page admin/config/development/reroute_email access is restricted to users with administer reroute email permission, but this permission item is not marked as restrict access.

A user with the permission to access this page can set their own email address as the route-to email address, and use the password reset form to gain access to the password reset URLs of any user, making an account take over vulnerability.

It's not practical to filter out sensitive emails because that would beat the purpose of this email. Simply marking the permission as restrict access would be the idea fix in my opinion, for which I have attached a sample patch.

===

Originally reported by @Ayesh.

CommentFileSizeAuthor
#6 reroute_email-add-permissions-warning-3030221-6-7.x.-1.x.patch408 bytesgilmord
#2 reroute_email-add-permissions-warning-3030221-2-8.x-1.x.patch.png360 KBtokvv
#2 reroute_email-add-permissions-warning-3030221-2-8.x-1.x.patch341 bytestokvv

Comments

bohart created an issue. See original summary.

tokvv’s picture

tokvv commented
Status: Needs work » Needs review
Issue tags: +LutskGCW19
StatusFileSize
new reroute_email-add-permissions-warning-3030221-2-8.x-1.x.patch341 bytes
new reroute_email-add-permissions-warning-3030221-2-8.x-1.x.patch.png360 KB

Added restricted access to reroute_email.permissions.yml.

abramm’s picture

abramm
Primary language Ukrainian
Location Lutsk
commented
Status: Needs review » Reviewed & tested by the community

Looks good for me. RTBC.

  • bohart committed e2a809b on 8.x-1.x authored by tokvv 
    Issue #3030221 by tokvv, bohart, abramm, bohart: Add `restrict access`...
bohart’s picture

bohart
Location Lutsk, Ukraine
commented
Version: 8.x-1.x-dev » 7.x-1.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)
Issue tags: +Needs backport to D7

Committed to 8.x.
Need to be ported to D7.

gilmord’s picture

gilmord
Location 🇺🇦Ukraine
commented
Status: Patch (to be ported) » Needs review
StatusFileSize
new reroute_email-add-permissions-warning-3030221-6-7.x.-1.x.patch408 bytes

Backport of the patch for the D7

  • bohart committed 807c4de on 7.x-1.x authored by gilmord 
    Issue #3030221 by gilmord, bohart: Add `restrict access` warn to the...
bohart’s picture

bohart
Location Lutsk, Ukraine
commented
Status: Needs review » Fixed
Issue tags: -Needs backport to D7

Committed to both 7.x-dev and 8.x-dev.
No need for test coverage.

Thanks, @all!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.