[IT-SecNots] [Security-news] Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-033

Project: Rename Admin Paths [1]
Version: 7.x-2.37.x-2.27.x-2.1
Date: 2022-April-12
Security risk: *Moderately critical* 10∕25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
The Rename Admin Path module provides additional security to Drupal sites by
renaming the admin paths. The module has a vulnerability with allows
attackers to bypass the protection by using specially crafted URLs.

The risk is mitigated by the fact that, even though the attacker can bypass
the protection offered by this module, all regular permissions still apply.

Solution: 
Install the latest version:

  * If you use the rename_admin_paths module for Drupal 7.x, upgrade to
    rename_admin_paths 7.x-2.4 [3]

Only the 7.x version of the module is vulnerable. If you use the 8.x version,
you do not have to take any action.

Reported By: 
  * Ivo  Van Geertruyen [4] of the Drupal Security Team

Fixed By: 
  * Ivo  Van Geertruyen [5] of the Drupal Security Team
  * Raphaël Apard [6]

Coordinated By: 
  * Chris McCafferty [7] of the Drupal Security Team
  * Ivo Van Geertruyen [8] of the Drupal Security Team


[1] https://www.drupal.org/project/rename_admin_paths
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rename_admin_paths/releases/7.x-2.4
[4] https://www.drupal.org/user/383424
[5] https://www.drupal.org/user/383424
[6] https://www.drupal.org/user/410831
[7] https://www.drupal.org/u/cilefen
[8] https://www.drupal.org/u/mrbaileys

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news