Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This module has huge security issues. Firstly, it write all mail to the public file system, including the ones that contain the reset links:
╭─Sam@Sams-MacBook-Pro.local ~/Sites/drupal/8/sites/default/files/mail-log ‹8.4.x›
╰─➤ cat log_09_Mar_2017.txt
[Thursday 9th of March 2017 08:26:49 AM] to:foo@example.com Subject:One-time Login details for foo@example.com at Drush Site-Install message:foo@example.com,
You may now log in by clicking this link or copying and pasting it into your browser:
http://drupal.core/user/amlogin/2/615672/66bb9d600c1058456eb6eb9fc5875526
This link can only be used once to log in.
-- Drush Site-Install team
--MAIL END--
------------------------------------------------------------------------------------------------------------
Secondly, the reset links themselves are guessable. If you know when a user registered (it's on their profile), you can hit the site 999999 times to guarantee a hit on their login link.
Comments
Comment #2
klausiComment #3
gaurav_drupal@klausi
Logging of mails was not required, so I removed that as of now.
Secondly, new Links are generated every time users requests a login link with a mix of timestamp and email id. Old links are automatically invalidated and no link will work after 24 hrs.
If still there is something to do in this which I don't understand, then please let me know and if possible help me on this, that will be great. Thanks
Comment #4
gaurav_drupal@klausi
Comment #5
gaurav_drupalComment #6
gaurav_drupalComment #7
gaurav_drupalComment #8
gregglesHave you done anything to address the concern about link urls being guessable?
One question I have is that core already includes a url that will auto-login a user. I'm curious what was missing from that feature that requires a new url.
The core one-time-login url system has been reviewed, vetted, and improved for over a decade. It is guaranteed to be more secure and is something your module should leverage.
Comment #9
gaurav_drupal@greggles hey, I know core one-time-login url could have been better option, but there is another feature which this module will have, i.e the statistics which shows login counts and login request counts for an email Id respectively. This would not be possible with core one-time login URL system.
In current one-time-url system every time user requests a login link, the old one-time-url (if any) gets expired and the newly generated URL is valid for next 24 hours only. So I don't understand how these links are guessable ?, since the links being generated is a hash of timestamp and email Id and some random numbers combination as well.
I would like to have your inputs on improving security of current URL system being implemented in this module.
Comment #10
gaurav_drupalComment #11
gregglesThe login_history module detects a one-time login, so it is possible to detect that and provide statistics about that.
Comment #12
gaurav_drupal@greggles core one-time-urls require user to reset password. can you provide a patch for this ? that will be very helpful.
Comment #13
gaurav_drupalComment #14
gregglesI won't provide a patch as I don't use the module.
Please don't close a critical security issue as "works as designed".
You raised a potential problem with using the core one-time-login system and I've pointed out that the problem is not really a problem.
You stated that the urls are not guessable because they are generated from a mix of information and somewhat hard to guess, but they are not hard *enough* to guess. That's been the point since the beginning.