i've seen that system_settings_save() is storing everything from $_POST['edit'] with variable_set without doing any checks.

so this bypasses the permissions which the administrator can set through the access controls, because he is able to edit all settings once he has access an admin-page.

so users with access to one of

  • administer comments
  • administer filters
  • administer forums
  • administer nodes
  • administer site configuration

have in the end access to all of them

i think this doesn't matter for most sites - however it makes at least this controls redundant.

Comments

moshe weitzman’s picture

moshe weitzman commented
Status: Active » Fixed
moshe weitzman’s picture

moshe weitzman commented
Status: Fixed » Active

this is fixed by form api, and thus only available in HEAD.

chx’s picture

chx commented

While technically it is a problem that someone can set any variables, I fail to see how this leads to privilege escalation.That kind of stuff is not stored in variables.

fago’s picture

fago
Primary language German
Location Vienna
commented

yes.
however the availability of this separate settings makes the impression that they can be set distinct of another - what isn't really the case.

dopry’s picture

dopry commented
Status: Active » Closed (won't fix)

system_settings_save does not bypass access control. It does not enforce it. Getting to the admin/settings requires administer site settings permissions, enforced by the menu, and should be sufficient. If another module is implementing system_settings_save in an insecure manner, a bug should be filed against that module. If the documentation is unclear a bug should be filed against the documentation.

chx’s picture

chx commented

what's more, in Drupal 4.7 it's only saving what's shown on the page so this is rather 'fixed' than won't fix , but anyways it's not an issue any more.