Contrib.social

Review to confirm the old security issues are no longer present

Open on Drupal.org →
Created on 26 March 2024, 8 months ago
Updated 10 April 2024, 8 months ago

Problem/Motivation

This module had a report of security issues several years ago. Here is that original report:

The Drupal security team received report of possible vulnerabilities in the module False Account.

There is an SQL Injection in the module. The problem lies in hook_user -> login of the module where the attacker is able to insert false data. Then in view operation, the module fails to sanitize the SQL query - please refer to Writing secure code manual. Also check around lines 304-305 for the same problem.

There also seems to be a Cross Site Scripting problem in _false_account_build_table().

Additionaly - this module allows other users to fake requests to the site in the way that false account will record them as different UIDs. To do that, just create an arbitrary cookie with a different uid. This way, you could block other users from viewing the site.

To summarize:

* SQL Injection
* Cross Site Scripting
* Denial of service

Steps to reproduce

Unfortunately the original report was not very specific and our standard at the time was a lot of communication happened 1-1 between the reporter and the maintainer so we can't see details of that.

Proposed resolution

Review the current codebase to see if these issues are present. If they are present, fix them.

Remaining tasks

Review code.
Fix any issues that are still present.

User interface changes

TBD

API changes

TBD

Data model changes

TBD

📌 Task
Status

Fixed

Version

2.0

Component

Code

Created by

🇺🇸United States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @greggles
  • Comment 8 months ago
    🇺🇸United States greggles Denver, Colorado, USA
  • Comment 8 months ago
    ivnish Kazakhstan

    Ok, let's check:

    1) SQL Injection is not relevant, because the new module uses Drupal Entity, not direct SQL.

    2) Cross Site Scripting problem is not relevant too, because the new module uses views table instead of custom table.

    3) Denial of service is not relevant too, because if I added any UID to my cookie, it doesn't affect other users after my login

  • Status changed to Fixed 8 months ago
  • Comment 8 months ago
    🇺🇸United States greggles Denver, Colorado, USA

    Thanks for that review work!

  • Comment 8 months ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024