[Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

security-news at drupal.org security-news at drupal.org
Wed Feb 14 20:54:27 UTC 2018 

View online: https://www.drupal.org/sa-contrib-2018-010

Project: Custom Permissions [1]
Version: 7.x-2.x-dev
Date: 2018-February-14
Security risk: *Moderately critical* 14∕25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments
(like "node/1" or "user/2"), thereby allowing the site administrator to save
custom permissions for paths that won't be protected. This could lead to an
access bypass vulnerability if the site is relying on the Custom Permissions
module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites
which attempted to use the Custom Permissions module to protect dynamic
paths.

Solution: 
Install the latest version:

   * If you use the Custom Permissions module for Drupal 7.x, upgrade to 
Custom
     Permissions 7.x-2.2 [3]

After installing the latest version, visit Administration → People →
Custom Permissions (admin/people/custom_permissions) and save the form. If it
saves with no errors, your site is not vulnerable. However, if an error
message is displayed informing you that the module is attempting to protect
paths with dynamic arguments that it is unable to protect, your site requires
a manual fix; you should reconfigure the site to use a different method to
protect these paths (for example, use "node/*" to protect all nodes with the
same permission, rather than "node/1" to try to protect only a specific node;
or, alternatively, use a node access module to protect the node-related paths
with fine-grained access control).

Reported By: 
   * David Rothstein [4] of the Drupal Security Team

Fixed By: 
   * David Rothstein [5] of the Drupal Security Team
   * David Valdez [6] the module maintainer

Coordinated By: 
   * David Rothstein [7] of the Drupal Security Team


[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/7.x-2.2
[4] https://www.drupal.org/user/124982
[5] https://www.drupal.org/user/124982
[6] https://www.drupal.org/user/992990
[7] https://www.drupal.org/user/124982

More information about the Security-news mailing list