Role named "administrator" can theoratically not be an admin role

Created on 7 January 2025, 8 months ago

Problem/Motivation

This module has an access bypass vulnerability in some very specific cases.
RegistrationLinkAccessCheck::access() explicitly checks for a role called "administrator" but having a role with this name does not guarantee you have permission to administer the site.

Steps to reproduce

You can see this vulnerability by:
1. Enabling the module
2. Create a role named administrator without any permission (and without the is_admin flag).
3. As a user with this role, browse to https://example.com/user/register
4. You can create new users

Proposed resolution

The module should probably check for a permission instead (or at least check which role has the is_admin flag).
Or maybe it could simply reuse the user.register route from core instead of creating a new route that does the same thing?

(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @prudloff
  • First commit to issue fork.
  • Merge request !4Create custom permission → (Open) created by deaom
  • 🇸🇮Slovenia deaom

    Created new custom permission: access registration link and updated routing to check for the new permission. Removed role check, which means anonymous role also needs to have this new permission set to access the link/route.

Production build 0.71.5 2024