[Security-news] Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066
security-news at drupal.org
security-news at drupal.org
Wed Sep 18 16:17:24 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-066
Project: Create user permission [1]
Version: 8.x-1.x-dev
Date: 2019-September-18
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to have a separate permission only for creating
users.
The module doesn't respect Drupal's setting for "Who can register accounts?"
when set to "Visitors, but administrator approval is required".
When this option is chosen, the module overrides the setting, and makes it
possible to register accounts with no approval.
This vulnerability can be mitigated by having other settings in place for
account registration, such as requiring email verification for new accounts,
or permitting account creation for "Administrators only".
Solution:
Install the latest version:
* If you use the create_user_permission module for Drupal 8.x, upgrade to
Create user permission 8.x-1.2 [3]
Also see the Create user permission [4] project page.
Reported By:
* jddh [5]
Fixed By:
* Eirik Morland [6]
Coordinated By:
* Michael Hess [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
* Drew Webber [9] of the Drupal Security Team
[1] https://www.drupal.org/project/create_user_permission
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/create_user_permission/releases/8.x-1.2
[4] https://www.drupal.org/project/create_user_permission
[5] https://www.drupal.org/user/509004
[6] https://www.drupal.org/user/1014468
[7] https://www.drupal.org/user/102818
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/255969
More information about the Security-news
mailing list