render.php is world-readable
| Project: | Graphstat |
| Version: | 4.7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Hi,
The file render.php, which is part of the Graphstat module, can be executed by any user on the system, including an anonymous user.
Impact: third-parties may learn about usage and trends of the current Drupal installation.
Example:
- Install graphstat into DOCUMENT_ROOT/modules/grpahstat/
- Load, via the web browser www.sitename.com/modules/graphstat/render.php?l=1,2,5,10,15,82,95,129,18...
The user can then see the graph.
Fix: I don't know the Drupal security system well enough to know what our options are. If it's possible to call whatever function is used to verify the user's credentials, and then check to see if they have the permission for viewing graphs, that would be the ideal solution. Perhaps someone more knowledgable than myself can comment.
Thanks,
-- Doug