Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Menu enable and disable act on a GET request (which they shouldn't). More importantly, this makes it vulnerable to cross site request forgeries; meaning that when you are logged in as admin and visit a malicious site, they can enable/disable your menu items.
This either needs a confirmation form, or a token in the URL.
Note, this concerns a vulnerability in Drupal 6.x-dev only. Report vulnerabilities in released versions by sending an email to security@drupal.org.
Comment | File | Size | Author |
---|---|---|---|
#28 | menu_ui_good.png | 27.66 KB | Gábor Hojtsy |
#28 | menu_ui_bad.png | 28.76 KB | Gábor Hojtsy |
#27 | menu_overview_form.patch | 12.29 KB | chx |
#24 | menu_overview_form.patch | 12.21 KB | chx |
#22 | menu_overview_form.patch | 11.8 KB | chx |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedsince all enable/disable does is show/hide items, this seems more like a potential annoyance than any kind of security threat.
Comment #2
Heine CreditAttribution: Heine commentedAnnoyance is not the word.
People won't like it when their ecommerce site suddenly has no menu.
Comment #3
pwolanin CreditAttribution: pwolanin commentedok, so if we want to avoid another annoying confirm form, what would a URL token solution look like?
Comment #4
Heine CreditAttribution: Heine commentedI'm not convinced taking actions on GET is a good idea. What you could do however;
Get a token via drupal_get_token (eg drupal_get_token("menu") or drupal_get_token("menu-{$id}")), simply add it to the link.
In the receiving function, simply verify the token eg: drupal_valid_token($token, "menu-{$id}").
Comment #5
Heine CreditAttribution: Heine commentedComment #6
pwolanin CreditAttribution: pwolanin commentedhere's a patch that adds tokens to those links as you suggest.
Comment #7
pwolanin CreditAttribution: pwolanin commentedComment #8
pwolanin CreditAttribution: pwolanin commentedfor preventing both GET and POST CSFR, it's not clear to me that it can be prevented if the "bad" site or script can send an initial GET request to get the page source containing the token/form token? Obviously this requires a more thorough knowledge of the target and more code, but why is this not possible?
Comment #9
moshe weitzman CreditAttribution: moshe weitzman commentedpwolanin - the bad site would have to have your session id in order to get a valid token on the url. otherwise they have to send your browser to the drupal site twoce (once to get token and once to send to destination url). if they can do that they really own you.
Comment #10
Heine CreditAttribution: Heine commentedWhile a script can post to a certain URL, reading the token is prevented by the browser's cross domain security policy. See http://msdn2.microsoft.com/en-us/library/ms533028.aspx.
Comment #11
pwolanin CreditAttribution: pwolanin commentedok, thanks for the clarification. So, is this token solution sufficient, or would it still be better to go for a confirm form? Or something else (e.g. we could turn this page into a form and enable/disable could be buttons rather than links)?
Comment #12
Heine CreditAttribution: Heine commentedThe access denied is a bit to harsh; a message about a validation error and the tip to refresh the menu might prevent panic on cached pages.
I'd put the token as a url part, not in a separate querystring, but that's a detail.
Comment #13
Gábor HojtsyI think it would be better consistency wise too to make this page a form. It looks quite pointlessly repetitive to output dozens of tokenized links.
Comment #14
anders.fajerson CreditAttribution: anders.fajerson commentedThis page is becoming a form due to the drag and drop work: http://drupal.org/node/181126. An enable checkbox seems like a good option here.
Comment #15
chx CreditAttribution: chx commentedI took quicksketch's patch and simplified the form and added a submit handler. I am not 100% that quicksketch's D&D will get in D6 but if it does, it's quite trivial to augment my patch to become his. The submit function shows the sheer power of FAPI3 :) If you want to test do not forget to rebuild your menu.
Comment #16
brenda003With this patch applied, if I add a node and use the "Menu settings" option, the link shows up on the actual navigation but not under admin/build/menu settings anywhere.
Comment #17
chx CreditAttribution: chx commentedI did a fresh install and I am unable to reproduce this.
Comment #18
brenda003It was an issue w/ pager not showing up.
Comment #19
chx CreditAttribution: chx commentedAdded pager. Got tons of notices. Fixed notices at its core -- menu_tree_data was no prepared that it might not start at root. Removed a helper variable there as there was little point. Now works well.
Comment #20
catchInstalled this. Created menu items from both the node/edit node/add and admin/build menu forms. All seems to be fine.
Comment #21
Gábor HojtsyGenerally loooks good, but:
- I don't understand why we complicate our code with an empty output first:
- This patch gives menu_overview_form() a multiline function comment, which does not fit coding standards.
These are not big issues though.
Comment #22
chx CreditAttribution: chx commentedIf these are not big issues then why not commit and reopen as minor? Grr.
Comment #23
Gábor HojtsyOK tested the patch:
- I would put the enabled checkboxes to the left of the table, as it is in the module listing (or the language listing, or...).
- It looks quite strange to see the "expanded" information, but not being able to modify it (need to go to edit). Why don't make a checkbox out of it?
- Empty menus show an empty table and a Submit button, instead of a friendly note that there are no menu items yet.
- We removed "Submit" buttons and used "Save" "Save settings" etc. labels instead to be more to the point. Here "Save configuration" seems to be fit for the purpose.
Comment #24
chx CreditAttribution: chx commentedChanges as requested. I would like to draw attention to this submit function which utilizes quite some form API 3 goodies to achieve simplicity.
Comment #25
Gábor HojtsyTesters welcome.
Comment #26
brenda003Tested and looks good.
Comment #27
chx CreditAttribution: chx commentedComment #28
Gábor HojtsyAlthough chx did not mention, he implemented my suggestion to move the Enabled checkbox column before the Expanded column and add align=center to the checkbox cells for consistency with other such forms throughout Drupal. Tested the new patch again, and everything seems to work fine, so committed. (I did remove "sortable drag and drop" from the comment "Theme the menu overview form into a sortable drag and drop table." though, as it is not what's happening here :)
However, there is a UI problem here still, which should be solved in a follow up patch. See the attached images. The UI looks as good as it can be when the window is not wide. But when the window is wider, big gaps appear. Actually, the enabled and expanded columns should not expand in size, but the menu item column should take up the space (or the table should not expand at all). Let's get this solved, and we can close this issue.
Comment #29
quicksketchRock! Thanks chx! This'll make the Drag and Drop patch for menus (http://drupal.org/node/181126) much smaller and easier. Note that I'll probably switch the column order if that's acceptable to use the title first, then checkboxes. That way the drag handle will be on the left side next to the title, rather than a bunch of checkboxes.
Comment #30
Gábor HojtsyOK, we will discuss checkbox placement there then.
Comment #31
chx CreditAttribution: chx commentedGoba, if you think the other issue will get in, then please set this to fixed.
Comment #32
Gábor HojtsySure, will do as soon as this turns out.
Comment #33
Gábor HojtsyLooked into http://drupal.org/node/181126, so I am closing this in the hopes that the UI issues will be fixed with the menu DND. These UI issues are not critical anyway.
Comment #34
(not verified) CreditAttribution: commentedAutomatically closed -- issue fixed for two weeks with no activity.