Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Just received the email saying this module is now deprecated due to SA-CONTRIB-2015-065. I had plans to use this module, and this one seemed to fit my needs.
Do you guys have any plans to patch the security issues? I could find some just by looking at the code. Since there are more than 1K users for this module, I think should write a patch if possible.
- If any of you guys have plans to take this, please update this. I'm currently busy with some other work, but I will be able to provide a patch in 3-4 days.
Comment | File | Size | Author |
---|---|---|---|
#11 | sa_contrib_2015_065_fix-2446157-11--7-x-1-x.patch | 7.79 KB | Ayesh |
#11 | sa_contrib_2015_065_fix-2446157-11--6-x-2-x.patch | 6.24 KB | Ayesh |
#11 | sa_contrib_2015_065_fix-2446157-11--6-x-1-x.patch | 8.64 KB | Ayesh |
Comments
Comment #1
dadderley CreditAttribution: dadderley commentedI am one of the 1K users of this module.
I really need it and there seems to be no other drupal module that has this functionality.
I wish you success with the patch.
Thank you.
Comment #2
Ayesh CreditAttribution: Ayesh commentedI went through the code in all three branches (7.x-1.x, 6.x-2.x and 6.x-1.x). I actually found some bugs that can produce errors in run time (using
t()
in install hooks for example), but I focused on the security fixes.Attached three patches fix should these issues:
- XSS possibility because admin-provided values were not sanitized.
- Custom tables that show term names were vulnerable to XSS because the term name was not sanitized.
- Minor issues with the use of
t()
function modifiers (Changing!
to@
because!
modifier allows unsafe HTML, though it's only theoretical to use this for an attack.)- Most importantly, some CSRF fixes that allowed anyone to trick administrators to delete role-rules (7.x-1-x , 6.x-1.x and 6.x-2.x), and even the registration codes (6.x-1.x only).
I pushed the complete code to a Github repo https://github.com/Ayesh/Drupal-regcode-DRUPAL-SA-CONTRIB-2015-065-fix if you want to inspect the full code.
Comment #3
Ayesh CreditAttribution: Ayesh commentedComment #4
jphelan CreditAttribution: jphelan commentedI applied the 7.x patch and everything seems fine. I did get a Hunk failed and had to apply part of it manually but I have a two other patches on the this module already so that probably had something to do with it.
Comment #5
Ayesh CreditAttribution: Ayesh commentedThanks Justin.
I wrote the patches against the latest version available in git, so I'm not sure why the patch failed. Probably due to the existing patches you have as you said.
Comment #6
jphelan CreditAttribution: jphelan commentedThanks for doing this Ayesh.
Comment #7
Pere OrgaThank you for looking into this. Please see my comments below for the 7.x patch:
This does not need to be sanitized because it does not contain user input. It's safe already.
Same here.
Can these variables be inserted by a user via the UI? If not, this shouldn't be sanitized.
That looks unnecessary as well.
I think that's ok.
Probably ok. But consider using confirm_form() like this:
(That's an idea only)
If you prefer to use tokens and not a confirmation page, you should probably return MENU_ACCESS_DENIED here.
Ok
Ok
Is that better? Is that security related?
Same question as above.
That fixes an issue, but you are unnecessarily sanitizing extra things. As far as I can see only taxonomy term names could be dangerous.
Ok if not using confirm_form().
I don't think that's necessary. Is it user provided input?
Same as above.
Same.
Comment #8
Pere OrgaThat's a good start, but it's incomplete. Other submodules had similar issues that are not covered by the patches.
Please can you submit new patches?
Comment #9
Ayesh CreditAttribution: Ayesh commentedThanks for your in-depth review, Pere.
- I agree with you about the
@
vs!
modifiers. They are practically not real security issues. But all examples and best practices lead to use the@
modifier for URLs. Doc page says the same. This will however require translations of these strings to be replaced.What do you think? Should we go for the security best practice, or ignore this for this patch ?
-
check_plain()
forvariable_get()
. I think this is the main security issue reported. Access to the admin page is covered byadminister registration codes
permission (not a higher level access level). I did a complete test with all modules, and wrapped every field that was success when I enter<script>alert('damn')</script>
in the input field.- Also, this module allows admins to create custom reg codes with 1-255 char length. Not sanitized when displaying. That is why I
array_map
'd the table row values. This happens before processing date fields (which are UNIX timestamp integers at that moment), and acheck_plain()
wouldn't hurt them.- The intro text is a text area. It does not use a text filter, nor mention anything about allowed HTML tags. Input field is a text area, so I used
filter_xss_admin
(notfilter_xss()
, because it's an admin setting this value). Unless filtered, it can break HTML and XSS.-
drupal_set_message
does not sanitize the text either, so it was necessary to sanitize it too.- In the role-rule admin UI, module was functioning with clickable URLs. A form would work too, but I think it would be unnecessary since tokens are secure enough to be used in many places in core, including the theme admin UI.
- Thanks for the note about
MENU_ACCESS_DENIED
instead ofdrupal_access_denied()
.I will make amends and upload 3 patches again for all the versions. Thanks again for your review.
Comment #10
Pere OrgaPersonally I don't do that, but I see the point.
However, as this is supposed to fix the security vulnerability, I think we should not change this now.
Good catch then, I will have a deeper look at this later.
At least on D7 version, this was already being sanitized. I tried to inject XSS in that page and reg codes were being escaped properly (not like the term names)
I agree, in the case the content comes from user input.
Ok
Cool thanks
Comment #11
Ayesh CreditAttribution: Ayesh commentedAttaching 3 new patches, to replace the previous ones (not on top of the previous patches).
- t() function modifiers are not changed in this patch. A future bug fix release can fix them in the future.
-
check_plain()
andfilter_xss_admin
calls are still there, because admin-provided strings are provided to the form array as-is, and those properties do not run sanitizing functions on their own.- I found another CSRF in the
regcode_og
sub module. I double checked that I checked all modules before writing the patch. Hence, the larger file size that previous set of patches.- Still using the token-based CSRF protection (as opposed to a confirmation form) because that makes no front end change.
I also contacted the module author to review them if he can (that was a 4 days ago). It would be great if Pere, module author or anyone could review these.
Thanks!
Comment #12
Pere OrgaThese patches look good to me. You were right about the variables being unsafe, I did not detect them in my original report.
I tested 7.x patch and I found that the UX was not great: there was not redirection after deleting entries. For some reason the calls you put to drupal_goto() were not working and I was seeing a blank page - maybe another reason to use confirmation forms?
Also, in 7.x at least OG integration became broken at some point, so it may be a good idea to fix #2278707: Intergration with OG Broken before next release.
Anyway the vulnerabilities should now be fixed, so marking it RTBC.
Many thanks
Comment #13
Ayesh CreditAttribution: Ayesh commentedThank you Pere!
I tried to contact the module owner some time ago, but I did not get any response. Created a maintainer-ship request here (#2457065: Offering to maintain Reg Codes module); lets see how it progresses.
Comment #14
zeezhao CreditAttribution: zeezhao commentedWhen using patch from #11, I get the following error when admin tries to create a user via:
admin/people/create
Comment #15
Ayesh CreditAttribution: Ayesh commented@zeezhao - the patch in #11 does not change anything in the hook_user_insert function. This issue is about getting the module's unsupported status removed, which we can then move onto other changes.
For your particular case, changing "continue;" with "return;" should fix the problem. But again, that is out of the scope of this issue for now.
Comment #16
Pere Orga@Ayesh Can you create an issue in https://www.drupal.org/project/issues/projectownership ?
Comment #17
Ayesh CreditAttribution: Ayesh commentedThanks @Pere. I moved my current issue to the project ownership queue. Hope it'll get passed through. #2457065: Offering to maintain Reg Codes module
Thanks again for your continued help in this :)
Comment #21
Ayesh CreditAttribution: Ayesh commentedWe finally have a stable version back again. Special thanks to Pere for the enormous help during the security review, reporting the security issues in first place, and everything.
Comment #22
dadderley CreditAttribution: dadderley commented@Ayesh
Many thanks