Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I just found a really ugly security bug:
The theme configuration pages (e.g. admin/build/themes/settings/garland) are not secured at all against anonymous users.
The enclosed patch introduces the necessary access check (user_access('administer site configuration')
) into _system_themes_access.
To reproduce: Just log off your site and go to admin/build/themes/settings/garland. The page will be displayed, as if you had admin rights.
The enclosed patch was created against D6, but does also cleanly apply to HEAD (D7). D5 is not affected by this bug.
Comment | File | Size | Author |
---|---|---|---|
access_control_themes_settings.jpg | 39.62 KB | Pancho | |
access_control_themes_settings.patch | 718 bytes | Pancho | |
Comments
Comment #1
chx CreditAttribution: chx commentedComment #2
jgoldberg CreditAttribution: jgoldberg commentedHas anyone considered some kind of security mechanism that applies to any /admin/* menu item?
Comment #3
cburschkaTechnically, D6 menus should default the access control on items to their parents. admin/build is surely secured. How does this bug occur in spite of that?
Comment #4
cburschkaOh, never mind. The access only defaults to the parent if the access callback isn't set - and it is here. If you implement your own access hook, you have to take care to secure the page against unauthorized entry, so the fix in the patch is completely correct.
Comment #5
Gábor HojtsyHuh. Thanks, committed to 6.x. Also RTBC for 7.x.
Comment #6
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.
Comment #7
Anonymous (not verified) CreditAttribution: Anonymous commentedAutomatically closed -- issue fixed for two weeks with no activity.