[IT-SecNots] [Security-news] Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-066

Project: Create user permission [1]
Version: 8.x-1.x-dev
Date: 2019-September-18
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables you to have a separate permission only for creating
users.

The module doesn't respect Drupal's setting for "Who can register accounts?"
when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it
possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for
account registration, such as requiring email verification for new accounts,
or permitting account creation for "Administrators only".

Solution: 
Install the latest version:

  * If you use the create_user_permission module for Drupal 8.x, upgrade to
    Create user permission 8.x-1.2 [3]

Also see the Create user permission [4] project page.

Reported By: 
  * jddh [5]

Fixed By: 
  * Eirik Morland [6]

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team
  * Drew Webber [9] of the Drupal Security Team


[1] https://www.drupal.org/project/create_user_permission
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/create_user_permission/releases/8.x-1.2
[4] https://www.drupal.org/project/create_user_permission
[5] https://www.drupal.org/user/509004
[6] https://www.drupal.org/user/1014468
[7] https://www.drupal.org/user/102818
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news