Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.Currently, the login link is reset to the client user's UID only during site install. Since clients don't have permission to create "reset login" tasks, this is not an issue with default Aegir installs. However, if such a permission is granted, it might be possible for the client to gain access to UID1 on their site.
This needs testing to verify that it is indeed a threat.
#1206414: Refactor to use proper Provision Drush hooks should make fixing this easier, since we'll be hooking into the provision tasks, rather then the post_install hook we're currently using.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | hostmaster-sdo-6.x-1.x-97948-4.patch | 1.04 KB | anarcat |
| #2 | hostmaster-sdo-6.x-2.x-97948-4.patch | 1011 bytes | anarcat |
Comments
Comment #1
ergonlogicAs I noted above, "This needs testing to verify that it is indeed a threat."
Comment #2
anarcat CreditAttribution: anarcat commentedSo this was actually reported to the security team. We determined it was not a security issue that deserved the traditionnal embargo because (a) it has been reported here a long time ago and (b) if a user has access to a site, they can already perform other destructive operations on it, and therefore this is a problem in certain isolated use cases.
We nevertheless see this as a bug that should be fixed, and I attach helmo's patches to fix the problem here.
Comment #3
anarcat CreditAttribution: anarcat commentedSo what actually need to happen next here? The patches look fine to me...
Comment #4
helmo CreditAttribution: helmo commentedJust commit it I guess?
Comment #5
anarcat CreditAttribution: anarcat commenteddone.