The Security Team considered including this in SA-2014-06, but after debate decided to have it as a public issue since it's a hardening to fix a bug, and there is no known security implication currently.
Commit credit: Lendude
Original repot by @Lendude
This applies to the 'contact' module in D7 core only (not 6 or 8).
This module has a 'impersonate user' vulnerability.
You can see this vulnerability by:
there is no known way to exploit the issue and it's difficult to imagine a way to exploit it
The form submission handler for global and personal contact forms set the username of the global user object to the username submitted in the form. This leads to the global user object having an unvalidated/insecure/fake username. Any code using the global user object executed after the submit handler was called will use this 'wrong' username.
In a worst case scenario code could use user_load_by_name on the global user and end up with the wrong user (even the admin user if the right username is supplied in the contact form).
I didn't find any code that actually does this, but still it can be easily fixed by just using a clone of the global user object (this is actually what already happens in D8).
I've attached a patch that does this.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | contact_form_sets_username_on_global_user-0-0.patch | 856 bytes | pwolanin |
Comments
Comment #1
pwolanin commentedComment #2
David_Rothstein commentedCommitted to 7.x - thanks!
Tests might not be a bad idea here, but given that you'd need somewhat obscure code to trigger a case where this would matter, and given that the code isn't in Drupal 8 anymore, we can live without them.
Comment #5
David_Rothstein commentedUpdating tags, since 7.35 was a security release instead.