Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Please note: security team has cleared this issue to be discussed publicly.
Problem: Invite module users can grant themselves administrator role.
Users with 'Invite module > Send invitations' and 'System > Admin site configuration' permissions can
access 'admin > settings > invites > settings' where they can adjust the Role
settings awarded when invited person accepts an invite and registers as a
user. The user with settings permission can select from all roles
available on the website. A malicious user could set the 'Target Role'
to Administrator and then send themselves an invite which would create a
user with full administrator role.
I suggest the administrator role should not be available to non-admin users through modules which have the ability to assign roles.
I tried using the 'Assign role' module to restrict roles available but
Invite module does not seem to respect the permissions created by Invite
module.
Linux
MySQL database 5.0.85
PHP 5.2.11
D6-15
Invite 6.x-2.0-alpha1
Permissions settings:
Invite module > send invitations: yes
Invite module > send mass invitations: no
Invite module > track invitations: yes
Invite module > withdraw accepted invitations: yes
System module > Admin site configuration: yes
User module > administer permissions: no
User module > administer users: no
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | 695034-admin-permission.patch | 1.65 KB | smk-ka |
Comments
Comment #1
smk-ka commentedThis has been fixed by adding a new permission that restricts access to the administrative pages.