Allow disabling redirection to destination to prevent anonymous users to enumerates pages

Created on 21 June 2024, 6 months ago
Updated 6 July 2024, 6 months ago

Problem/Motivation

This module allows you to list all the pages on a site anonymously, even if the user does not have the rights to view a page.

When a request is made to the URL /node/1, the redirection retrieves the path of the associated node and adds it to the destination after connection (e.g. /my-article).

In my case (Intranet) this is a serious security problem.

Steps to reproduce

In anonymous rights, uncheck the option to view content. Make a request to connect to node 1, for example /node/1.

You will then see the path to the real node.

Proposed resolution

To solve the problem, we can :
- Add an option to the form to enable or disable the destination
- Modify the response to add a redirect to the home page if the destination option is deactivated.

Feature request
Status

Needs work

Version

2.0

Component

Code

Created by

🇷🇪Réunion morgannc La Réunion

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @morgannc
  • 🇷🇪Réunion morgannc La Réunion
  • 🇷🇪Réunion morgannc La Réunion

    morgannc changed the visibility of the branch 3456271-security-flaw-allowing to hidden.

  • 🇷🇪Réunion morgannc La Réunion
  • Status changed to Needs review 6 months ago
  • 🇷🇪Réunion morgannc La Réunion
  • Status changed to Needs work 6 months ago
  • 🇮🇹Italy kopeboy Milan

    Doesn't disabling the destination defeat the purpose of this module?
    Isn't just redirecting to the original url request (without the path alias) enough, and would that be possible to implement?

    Also, I believe this security suggestion is better handled by the famous redirect module, which has an option to:

    Check access to the redirected page
    This helps to stop redirection on protected pages and avoids giving away secret URL's. By default this feature is disabled to avoid any unexpected behavior

    Nevertheless, I applied your patch and it works fine! Although I would say, for better backwards compatibility, the default option should be to enable the Allow destination checkbox you added!
    Thank you

Production build 0.71.5 2024