Menu administrators can manage links they can't access and thereby see the titles (including node titles)

Created on 7 May 2023, over 1 year ago

Originally reported to the Drupal security team by @David_Rothstein on 26 October 2017.

The original report suggested this affected D7 and D8. Assuming it affects the latest version, this issue's version is set to D10.0.

---

In Drupal core, there is an access bypass issue in that (for Drupal 7) a user with "administer menu" permission can visit a URL like admin/structure/menu/item/[mlid]/edit for any menu link on the site (where [mlid] is the menu link ID). Even if they don't have access to the item, they will still see the edit screen, which will show them the link title.

The link title is usually (but not always) equal to the title of the page that the link goes to, and in particular in the case of a node, it is usually equal to the node title. Hence the access bypass.

This does seem pretty minor from my point of view, but consider:

Drupal clearly does try to go out of its way to prevent such users from seeing these links - for example if you go to admin/structure/menu/manage and then list links for the menu in question, any menu items that you don't have access to won't be shown to you in the list.
Discussion at https://www.drupal.org/node/460408 → (the issue which caused me to notice this problem) indicates that people there would consider it a security problem if menu administrators could see the titles of nodes they don't have access to.
Note: In addition to admin/structure/menu/item/[mlid]/edit, something similar happens at admin/structure/menu/item/[mlid]/reset and admin/structure/menu/item/[mlid]/delete (again for Drupal 7).

For Drupal 8, the problem in the case of nodes seems to only exist at the /delete URL (/edit correctly denies access), but the effect is the same since it still allows you to see the title. For other types of menu links (e.g. system-defined links to admin pages you don't have access to) it happens at /edit.

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

10.0 ✨

Component

Menu system →

Last updated about 23 hours ago

Maintained by
🇩🇪Germany @dawehner
🇺🇸United States @pwolanin

Created by

🇳🇱Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.

Needs backport to D7
After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Comments & Activities

Issue created by @dokumori
Comment over 1 year ago →
🇳🇱Netherlands dokumori Utrecht

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024