Contrib.social

The module is storing sensitive data in the database

Open on Drupal.org →
Created on 16 December 2021, over 3 years ago
Updated 2 May 2023, almost 2 years ago

Note: This report has been initially published in the Security Team space but it has been decided to be made public.

The module has a security vulnerability. It saves sensitive data in the database, more specifically, the $_SERVER content. Users able to access the database dumps are able to read PLAIN sensitive data stored in environment variables (which are listed in $_SERVER). Many systems are storing sensitive data, such as credential, tokens, internal URLs, etc. in environment variables. This is an industry standard. Such value should not land neither in code, nor in database. They are environment specific.

You can see this vulnerability by:

  1. Enabling the module
  2. Creating a Legal Document and add a Legal Document Version
  3. As a user with proper permission, accept the Legal Document
  4. Check the entity_legal_document_acceptance table, column data

You can find the $_SERVER global var content, including PLAIN sensitive data as environment variables.

Relevant code:

Drupal 8/9: https://git.drupalcode.org/project/entity_legal/-/blob/3.0.x/src/Entity/...
Drupal 7: https://git.drupalcode.org/project/entity_legal/-/blob/7.x-2.x/entity_le...

🐛 Bug report
Status

Needs work

Version

2.0

Component

Code

Created by

🇷🇴Romania claudiu.cristea Arad 🇷🇴

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024