Version: 
7.x-2.x-dev
Date: 
2018-February-14
Vulnerability: 
Access bypass
Description: 

This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments (like "node/1" or "user/2"), thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an access bypass vulnerability if the site is relying on the Custom Permissions module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites which attempted to use the Custom Permissions module to protect dynamic paths.

Solution: 

Install the latest version:

After installing the latest version, visit Administration → People → Custom Permissions (admin/people/custom_permissions) and save the form. If it saves with no errors, your site is not vulnerable. However, if an error message is displayed informing you that the module is attempting to protect paths with dynamic arguments that it is unable to protect, your site requires a manual fix; you should reconfigure the site to use a different method to protect these paths (for example, use "node/*" to protect all nodes with the same permission, rather than "node/1" to try to protect only a specific node; or, alternatively, use a node access module to protect the node-related paths with fine-grained access control).

Reported By: 
Fixed By: 
Coordinated By: