Filing this issue so that people interested in the module publicly can follow along.

CommentFileSizeAuthor
#4 p2rp-noanon.patch6.02 KBpoiu
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

greggles created an issue. See original summary.

kporras07’s picture

kporras07 CreditAttribution: kporras07 at Manatí commented

I'd love to work on this if some help is necessary.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

Thanks, kporras07! Matt and I are coordinating in chat on fixing things and getting the module resupported. If you could review the module for any additional security vulnerabilities that would be a great help. When it's brought back to supported we want to make sure there aren't any followup security issues.

If you do find a security issue, please report it to the private security team queue.

poiu’s picture

poiu CreditAttribution: poiu commented
FileSize
p2rp-noanon.patch6.02 KB

Hi,

As someone who isn't privy to the details of the vulnerability but needs this module (just to make UX better for people who already have an "administer users" permission) - would the attached patch make it "safe"?

It basically takes out all the anon-accessible paths from hook_menu and hook_menu_alter.

flaviovs’s picture

flaviovs CreditAttribution: flaviovs commented

I second that question. Does the patch address the issue in the SA?

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented
Status: Active » Fixed

The fix in #4 is not sufficient. grasmash and I worked through some changes and the fix is now published at https://www.drupal.org/project/profile2_regpath/releases/7.x-1.13

I've updated the advisory at https://www.drupal.org/node/2824407 to mention this release.

Please update your sites with that release as soon as possible.

flaviovs’s picture

flaviovs CreditAttribution: flaviovs commented

Thanks!

mlecha’s picture

mlecha CreditAttribution: mlecha commented

Thank you!

oskylark’s picture

oskylark CreditAttribution: oskylark commented

The version for this issue is 7.x-2.x-dev yet only version 7.x-1.x has been updated and version 7.x-2.0-beta3 is no longer supported. Is there a 7.x-2.x-dev release that has had the fix applied and if so where is it available?

Thanks

grasmash’s picture

grasmash CreditAttribution: grasmash commented

I've fixed the security vulnerabilities on the 7.x-2.x branch and also created a 7.x-2.0-beta4 release containing the fixes. The security team must review the new security release before it is made publicly available.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

Thanks, grasmash - 7.x-2.0-beta4 was published yesterday.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.