Since the same authkey is used to grant access to node for view, edit and delete, a security hole is exposed when users with a view link can use the same authkey to perform other operations on the node.

Example :

A user with a link http://example.com/node/4/?authkey=5a5bc814a605658e33099cb4bdbcd5c7fe69fe09ef77faee0220905f35e62899 can use the same authkey and delete the node by adding "delete" to the link : http://example.com/node/4/delete?authkey=5a5bc814a605658e33099cb4bdbcd5c7fe69fe09ef77faee0220905f35e62899

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Since this module has a full release, this now has to be reported to the security team.

coltrane’s picture

coltrane
he/him
commented

Security Team has deemed this issue is okay to be handled publicly.

tunic’s picture

tunic
he/him
Primary language Spanish
Location Madrid
commented
Version: 7.x-1.1 » 2.x-dev
Issue summary: View changes

This is a very old report. Currently, the module allows to select with operations are enabled for a content type, so admins can enable view but no delete. Not perfect but at least allows to expose content without the risk of being deleted.

However, would be interesting to have this. Patches ar welcome.