Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005
Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.
The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.
This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.Solution: Install the latest version:
- If you use the Fast Autocomplete module for Drupal 8.x or 9.x, upgrade to Fast Autocomplete 8.x-1.8
Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.
Fast Autocomplete for Drupal 7.x is not affected.Reported By:
- Heine Deelstra of the Drupal Security Team
Fixed By:
- Heine Deelstra of the Drupal Security Team
- Martijn Vermeulen
Coordinated By:
- Heine Deelstra of the Drupal Security Team
