- Issue created by @joe.murray
This issue has been investigated by the Drupal Security Team and it has been decided to handle this as public security improvement.
The GET string from the relative url /admin/people?user=12345&status=All&role=All&permission=All exposes wildcard search terms in the 12345 term by site admins for usernames or user emails. This information is suggestive of but not actually user Personally Identifiable Information (PII) that is exposed while on the wire and that tends to get into logs. Notably, this information provide a good basis for attacks on user accounts.
See related issue for a similar public hardening issue https://www.drupal.org/project/drupal/issues/2414187 π User email disclosure in /user/password Fixed .
Navigating to Manage > Structure > Views, and clicking Edit beside People brings up a Preview of the same form at the bottom of /admin/structure/views/view/user_admin_people . It is admittedly less of a security weakness to have information suggestive of usernames and user emails exposed in this development context.
Navigate to Manage > People, in 'Name or email contains' enter part or all of a username or user email and click Filter. Note url GET string includes string suggestive of username or user email.
Change the submission of /admin/people form from GET to PUT.
Consider switching from GET to PUT when Update Preview or Filter is clicked in Preview (/admin/structure/views/view/user_admin_people).
None.
None expected.
None.
Active
11.0 π₯
Last updated