search

pressflow / 6

Each version of Pressflow is API-compatible with the same major Drupal version. For example, Pressflow 6 is compatible with all Drupal 6 modules. Pressflow 6 also integrates the SimpleTest system from Drupal 7 and the CDN support patch.
http://pressflow.org/
GNU General Public License v2.0
235 stars 90 forks source link

SA-CORE-2016-002: Patch user module vulnerability that sometimes grants the user all ro… #104

Closed ashalan closed 8 years ago

ashalan commented 8 years ago

…les on save

dsnopek commented 8 years ago

Several members of the Drupal security team attempted to reproduce this security issue on Drupal 6 and were unable to - that's why the Drupal 6 Long-Term Support vendors didn't release a patch. Here's a short excerpt from the comments on the private issue on security.drupal.org:

on 6.37 I have created a new site, enabled a custom module, added a new role, added a new user. Logged in as the new user in a new browser, edited the account, [...] confirmed that the DSM is displayed, submitted again. As uid 1 I confirmed that the new user did not get the new role.

A difference between D7 and D6 is that D6 completely omits the role section if the user does not have the 'administer permissions' permission.

So, I don't think this fix is necessary!

ashalan commented 8 years ago

Noted. Thanks for the prompt response @dsnopek !!