Potential security issue with Views

Created on 18 November 2023, about 1 year ago

There is a view displaying licenses of users with path www.site.com/user/uid/licenses.

The permission of View is set o "View own licenses"; the same as permissions at "admin/people/permissions" for authenticated users .

The problem:
Authenticated user with uid 20 can correctly see his own licenses at www.site.com/user/20/licenses
But the same user can see licenses of any other user just by changing the uid in the path, for example of user 25 at:
www.site.com/user/25/licenses

Of course, this is unwanted behavior and I am wondering if cause is my missconfiguration or if it is a bug.

My config:
- Drupal 10
- Commerce license 3.0.0
- Commerce license access control 8.x-1.0 with applied patch: https://www.drupal.org/files/issues/2023-10-21/commerce_license_access_c... β†’

Many thanks in advance for any inputs .

πŸ’¬ Support request
Status

Closed: cannot reproduce

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΈπŸ‡°Slovakia sketman

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @sketman
  • Assigned to TomTech
  • Status changed to Closed: cannot reproduce about 1 year ago
  • πŸ‡ΊπŸ‡ΈUnited States TomTech

    Hi @sketman,

    Thanks for the report.

    Out of the box, commerce_license does NOT have a view at the path user/%uid/licenses.

    The admin view that is provided at admin/commerce/licenses requires the permission access commerce_license overview .

    This view you refer to does not appear to come from the commerce_license module, but most likely a custom view on your site. (Or possibly provided by another module, though not currently aware of one that does.)

    Note: If this was a security issue, it should NOT be reported in the public issue queue. There is a banner and link at the top of the Create Issue page that directs you to a page for reporting Security issues β†’ .

    Presuming you have defined your own view, and it has a contextual filter for the license:owner, the most likely reason this is occurring is that the filter value is not being validated. It should look like this:

    This configuration ensures that the view results are only if the uid in the path matches the current user, unless the user has the administrative permission of View any licenses, in which case they can see any user's licenses.

  • πŸ‡ΈπŸ‡°Slovakia sketman

    Hello @TomTech,

    many thanks for the fast and exhausting answer, I really appreciate it.

    You were right with your assumptions, it is my custom view and your solution worked for me, adding the validation criteria did the trick.
    Also I apologize for the way I reported security issue, I will now know for the future.

    Thanks once again.

  • πŸ‡©πŸ‡°Denmark Stizzi

    I am also interested in the "Commerce License Access Control" module, so I made a fresh installation of D10 and Commerce, with the same Commerce license access control fork/patch, and ACL-2.0.0-beta1, and could not reproduce the issue, at least not with this URL /user/xx/licenses

Production build 0.71.5 2024