Module unsupported due to a security issue

Is there a patch for this module?

I saw a warning on the editor page : https://help.sendinblue.com/hc/en-us/articles/209579145-Implement-Drupal...

Good to know: We no longer provide support for this plugin.

Thank you

I contacted them also.

Here is the answer I got:

We have indeed stopped maintaining the Drupal plugin for some time because we do not provide support on it.

Drupal is not used by many customers and our developers are focused on other projects.

Thus, we have chosen not to maintain the plugin.

It will surely be taken into consideration, but not before the end of the year.

We should be able to make a patch I think ...

Does this module define a symphony version?
I did not see a composer.json file.

Hello @here, sorry for the delay,

I'm the new maintainer of this module, accord with SendinBlue (https://www.drupal.org/project/sendinblue/issues/3124567)

The security issue is on review, and a patch will be apply soon.

Hello @here,

Here is the patch for the security issue caused in Drupal 7 module version.

This module has a serious vulnerability allowing anonymous user to access administration pages of the sendin blue integration. As a results one could delete all subscribers, send newsletters and alike things.

Please review and I will patch a new released version.

Thanks !

I didn't test this, but visually it looks good to me. I'd like to get at least one person who is a user of the module who can duplicate the issue and confirm this fixes it.

To duplicate the security bug, try being logged out or logged in as a user without any advanced permissions and visit the paths defined by the module in hook_menu. Then apply the patch, clear the drupal caches, and confirm that access is denied in that scenario.

Hello,
As asked in #9, i tested on a working installation.
Without the patch, i could access some of paths (not all) defined in hook_menu when logged out. I didn't try when logged in as a user without any advanced permissions.

After i applied the patch, i could no longer access all paths when logged out nor when logged in as a user without any advanced permissions.

This patch is good for me.
I'm now looking forward to version 8 of this patch.

Thanks

Hi @Jejddx ,

Thanks for review, someone have an error on home page, I have to add a new patch.

There here the new patch, a little modified.

@greggles, ok to push it on 7.x branch ?

Thanks

Fix here, thanks all.

https://www.drupal.org/project/sendinblue/releases/7.x-1.7

This started as a Drupal 8 issue. Is there not a security issue for Drupal 8?

I'm not sure why this was filed against the 8.x version if that was intentional or not.

The security issue that the team was aware of was access bypass in the 7.x version of the module. I believe the 8.x version did not have security coverage at the time (I believe it was very early development work). If you want to test out the presence of the issue in 8.x you could make a list of all the admin paths (I'll paste a list of the 7.x paths below) and then try to visit those paths as an anonymous user. In 7.x you could access and interact with the pages as an anonymous user even though that shouldn't be possible. Hopefully in 8.x this issue was fixed.

Here are the 7.x paths noted as having the problem:
- admin/config/system/sendinblue/campaigns
- admin/config/system/sendinblue/lists
- admin/config/system/sendinblue/statistics

I am confused by the title of this issue, and by the message on this project's page. Do they mean that the D7 version of this module is no longer supported and that it should not be used? Many thanks.