This issue was cleared by the security team to be public.
You can see this vulnerability by:
1. installing a standard drupal
2.use curl to modify the POST data to /user/login and insert some utf-8 character in form_build_id.
Example :
curl 'https://MYDRUPALWEBSITE/user/login/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' --compressed -H 'Accept-Language: en-US,en;q=0.5' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Content-Type: application/x-www-form-urlencoded' -H 'DNT: 1' -H 'Host: MYDRUPALWEBSITE' -H 'Pragma: no-cache' -H 'Referer: https://MYDRUPALWEBSITE/user/login/' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0' --data 'name=zezer&pass=zerze&form_build_id=form-čĊ&form_id=user_login_form&op=Se+connecter'
This will generate a 500 error with message :
https://MYDRUPALWEBSITE|1547646183|php|89.212.138.36|https://MYDRUPALWEBSITE/user/login/|https://MYDRUPALWEBSITE/user/login/|0||Drupal\Core\Database\DatabaseExceptionWrapper: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (ascii_general_ci,IMPLICIT) and (utf8mb4_general_ci,COERCIBLE) for operation '=': SELECT name, value FROM {key_value_expire} WHERE expire > :now AND name IN ( :keys__0 ) AND collection = :collection; Array ( [:now] => 1547646183 [:collection] => form [:keys__0] => form-čĊ ) in Drupal\Core\KeyValueStore\StorageBase->get() (line 35 of /home/vhosts/MYDRUPALWEBSITE/MYDRUPALWEBSITE/prod/MYDRUPALWEBSITE/MYDRUPALWEBSITE/drupal/web/core/lib/Drupal/Core/KeyValueStore/StorageBase.php).
As you can see I changed the form_build_id to include some utf-8 characters.
This leads back to this issue
https://www.drupal.org/project/drupal/issues/1923406 →
where column where changed to ASCII.
Needs work
10.1 ✨
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request → as a guide.
Did not test.
But see it was previously tagged for test which still need to happen
Thanks