- Issue created by @prudloff
This module has an access bypass vulnerability in some very specific cases.
RegistrationLinkAccessCheck::access() explicitly checks for a role called "administrator" but having a role with this name does not guarantee you have permission to administer the site.
You can see this vulnerability by:
1. Enabling the module
2. Create a role named administrator without any permission (and without the is_admin flag).
3. As a user with this role, browse to https://example.com/user/register
4. You can create new users
The module should probably check for a permission instead (or at least check which role has the is_admin flag).
Or maybe it could simply reuse the user.register route from core instead of creating a new route that does the same thing?
(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.