The issue below was reported to the Drupal security team. Their recommendation was to create an issue in the public queue since there is no stable release of colorbox yet.
ISSUE:
colorbox module offers an option to
enable custom links that can open any form in a Colorbox. Add the class "colorbox-form" to the link and build the url like this
/colorbox/form/[form_id]?width=500&height=500
"
The callback for this path colorbox/form (line 66) only checks for user_access('access content'). If content is mal-created with a colorbox/form link to an admin form, then an anonymous user with 'access content' can click on link and change admin settings.
EXPOSURE:
all modules that have admin form functions in their .module file and
not in an .admin.inc file
TEST:
[1] grant 'access content' permission to anonymous user
[2] install extlink module
[3] create content with the link below:
<a class="colorbox-form" href="/colorbox/form/extlink_admin_settings?width=500&height=500">Test hack</a>
[4] visit site as anonymous use
OTHER LEAKS TO PUBLIC:
#760972: Allow a selection of forms to be opened in a Colorbox via a custom formatted link - this discussion almost exposes this security hole to the public
VERSIONS:
Drupal: all versions of 6
colorbox: 6.x-1.x-dev, 2010-04-19, datestamp = "1271635394"
/************************************************************************************/
Drupal Security Team response:
That's a serious issue.
However, the colorbox module only has a dev and a beta release. Our policy is to treat all issues that don't concern stable releases in the public issue queue.
Please create an issue about this at
http://drupal.org/node/add/project-issue/colorboxRegarsd,
Drupal security team
/************************************************************************************/
My thoughts
To simplify, limit this functionality to only a few chosen forms with the proper access checks - ie login, contact, ..
Comments
Comment #1
frjo CreditAttribution: frjo commentedThoughtless of me to add this feature and good of you to catch it.
A whitelist of forms with access checks as you suggest sounds like the best solution.
Here are three I suggest, any more?
contact_mail_page
user_login
user_login_block
Comment #2
frjo CreditAttribution: frjo commentedMore forms:
user_register
user_pass
Comment #3
frjo CreditAttribution: frjo commentedCommitted a fix to 6-dev that I hope will remove this security problem.
The main part is this access check that will only allow certain forms and check if the user should have access to them.
Please try it out and report back here.
The tarballs for dev is only rebuild every 12 hour so grab the code directly from CVS.The tarball has been rebuilt now so just download it from the project page as normal.
Comment #4
recrit CreditAttribution: recrit commentedOne small tweak to the contact page is below in the results. Other than that its a great step forward. Its a useful functionality that can be safely extended now as other forms are suggested. The forms in the white list should be added to the admin description so they don't blindly try to load any form and fill up the issue queue when it doesn't work.
Results:
Either way this needs revamped a little bit. This should call the contact wrapper function 'contact_site_page' which includes a flood control check before getting the form 'contact_mail_page'.
Something like this would work:
Comment #5
frjo CreditAttribution: frjo commentedGood improvement, thanks! Committed to 6-dev.