[Security-news] Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033
security-news at drupal.org
security-news at drupal.org
Wed Apr 13 16:48:59 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-033
Project: Rename Admin Paths [1]
Version: 7.x-2.37.x-2.27.x-2.1
Date: 2022-April-12
Security risk: *Moderately critical* 10∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
The Rename Admin Path module provides additional security to Drupal sites by
renaming the admin paths. The module has a vulnerability with allows
attackers to bypass the protection by using specially crafted URLs.
The risk is mitigated by the fact that, even though the attacker can bypass
the protection offered by this module, all regular permissions still apply.
Solution:
Install the latest version:
* If you use the rename_admin_paths module for Drupal 7.x, upgrade to
rename_admin_paths 7.x-2.4 [3]
Only the 7.x version of the module is vulnerable. If you use the 8.x version,
you do not have to take any action.
Reported By:
* Ivo Van Geertruyen [4] of the Drupal Security Team
Fixed By:
* Ivo Van Geertruyen [5] of the Drupal Security Team
* Raphaël Apard [6]
Coordinated By:
* Chris McCafferty [7] of the Drupal Security Team
* Ivo Van Geertruyen [8] of the Drupal Security Team
[1] https://www.drupal.org/project/rename_admin_paths
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rename_admin_paths/releases/7.x-2.4
[4] https://www.drupal.org/user/383424
[5] https://www.drupal.org/user/383424
[6] https://www.drupal.org/user/410831
[7] https://www.drupal.org/u/cilefen
[8] https://www.drupal.org/u/mrbaileys
More information about the Security-news
mailing list