search

backdrop-ops / backdropcms.org

Issue tracker for the BackdropCMS.org website
https://backdropcms.org
25 stars 21 forks source link

Improve our Security Advisory emails #1031

Closed bugfolder closed 7 months ago

bugfolder commented 7 months ago

Our security advisory emails are missing labels, which makes them not very clear, and contain less information than the web page version. For example, here's the web page for a recent SA notice:

https://backdropcms.org/security/backdrop-sa-contrib-2024-001

Here's the content of the email, which is derived directly from the web page:

View online: https://backdropcms.org/security/backdrop-sa-contrib-2024-001

This module provides an alternative means of rebuilding the Content Access
table.

The module doesn't sufficiently reset the state of content access when the
module is uninstalled.

Node Access Rebuild Progressive versions prior to 1.x-1.0.1

Install the latest version, Node Access Rebuild Progressive 1.0.1. [1]

[1] https://backdropcms.org/project/node_access_rebuild_progressive

This is not very clear. What is the significance of that phrase Node Access Rebuild Progressive versions prior to 1.x-1.0.1 doing all by itself?

By contrast, here's the Drupal version of the email for their corresponding SA notice:

View online: https://www.drupal.org/sa-contrib-2024-010

Project: Node Access Rebuild Progressive [1]
Date: 2024-February-21
Security risk: *Less critical* 9∕25
AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <2.0.2
Description:
This module provides an alternative mean of rebuilding the Content Access
table.

The module doesn't sufficiently reset the state of content access when the
module is uninstalled.

Solution:
Install the latest version:

 * If you use the node_access_rebuild_progressive module for Drupal 9.4+,
   upgrade to node_access_rebuild_progressive 2.0.2 [3]

Reported By:
 * Pierre Rudloff [4]

Fixed By:
 * Pierre Rudloff [5]
 * Shelane French [6]

Coordinated By:
 * Greg Knaddison [7] of the Drupal Security Team
 * Damien McKenna [8] of the Drupal Security Team

[1] https://www.drupal.org/project/node_access_rebuild_progressive
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/node_access_rebuild_progressive/releases/2.0.2
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/2674989
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/108450

We should make our emails more closely match our SA webpage, similarly to what our Drupal brethren are doing.

bugfolder commented 7 months ago

PR submitted.

One can test this locally without having to send out emails by enabling the Devel module, then executing this code on the "Execute PHP" page, then inspecting the dpm'd value:

$message = array();
$params['node'] = node_load(6503);
borg_mailers_security_mail('borg_mailers_security_email', $message, $params);
dpm($message,'$message');

Before:

View online: 
http://backdropcms-org:8888/security/backdrop-sa-contrib-2023-008

The Masquerade module allows users to temporarily switch to another 
user account.

The module provides a "Masquerade as admin" permission to restrict users from 
switching to an account with administrative privileges. This permission is 
not always honored and may allow non-administrative users to masquerade as an 
administrator.

This vulnerability is mitigated by the fact that an attacker must have a role 
with the "Masquerade as user" permission.

 * Masquerade module versions prior to 1.x-1.0.1.

Upgrade your site to the most recent version of Masquerade. Download 
available on the Masquerade 1.x.x release page [1]. 

[1] https://github.com/backdrop-contrib/masquerade/releases/tag/1.x.x

After (email addresses intentionally obscured):

View online: 
http://backdropcms-org:8888/security/backdrop-sa-contrib-2023-008

Date: Wednesday, Oct 4th, 2023

Advisory ID: BACKDROP-SA-CONTRIB-2023-008

Security risk: Moderately Critical

Vulnerability:

 * Cross Site Scripting
 * Access bypass

Versions affected:

 * Masquerade module versions prior to 1.x-1.0.1.

Description:

The Masquerade module allows users to temporarily switch to another 
user account.

The module provides a "Masquerade as admin" permission to restrict users from 
switching to an account with administrative privileges. This permission is 
not always honored and may allow non-administrative users to masquerade as an 
administrator.

This vulnerability is mitigated by the fact that an attacker must have a role 
with the "Masquerade as user" permission.

Solution:

Upgrade your site to the most recent version of Masquerade. Download 
available on the Masquerade 1.x.x release page [1]. 

Reported By:

 * Rick Bargerhuff [2]
 * Stephen Maiorana [3]

Fixed By:

 * smaiorana [4], Backdrop module maintainer.

Coordinated By:

 * Jen Lampton [5] of the Backdrop CMS Security Team

[1] https://github.com/backdrop-contrib/masquerade/releases/tag/1.x.x
[2] mailto:*****@rowan.edu
[3] mailto:*****@rowan.edu
[4] https://github.com/smaiorana
[5] https://github.com/jenlampton
jenlampton commented 7 months ago

@bugfolder this looks fantastic, thanks so much for working on it! I merged the PR, please go ahead and deploy when you can.