Project browser allows installing new functionality to a site. This could be used by a malicious person who has taken over someone’s account, either by social engineering, or exploiting an XSS or other vulnerability which allows account takeover. The new functionality could chain to widen the initial vulnerability scope. For example, installing PHP module or adding backup & migrate to exfiltrate data.
This isn’t unique to project browser installing a module, there are other important actions which could be used by attackers to escalate security problem. For example, maybe setting an admin user’s password. These places could use an extra confirmation that the person is indeed who they say they are.
Examples from other systems:
A common way to confirm a person would be good to have in core.
Asking for someone’s password to confirm would be a good first step. There might be a way to disable this in settings.php for development and environments where Drupal isn’t doing password authentication. A system to extend/override the confirmation would be ideal, but might be able to wait for a followup issue.
To avoid password fatigue, unlocking should persist for some time period, like an hour or two.
Yes, there is new UI for this.
Something along the lines of “unlock to make changes”
Should be usable by modules
Active
11.1 🔥
user system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Could we consider re-branding this as "Require re-authentication for certain admin actions", to include more authentication setups?
#3 makes a ton of sense to me. That would let sites do TFA codes as well if appropriate.
I forgot this issue existed and opened 📌 Require password confirmation to install new code Active against project browser. Cross-linking the two issues.