Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Tue, 2022-04-12 10:17 — Anonymous (not verified)

Project: Rename Admin PathsVersion: 7.x-2.37.x-2.27.x-2.1Date: 2022-April-12Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.
The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.Solution: Install the latest version:

If you use the rename_admin_paths module for Drupal 7.x, upgrade to rename_admin_paths 7.x-2.4

Only the 7.x version of the module is vulnerable. If you use the 8.x version, you do not have to take any action.Reported By:

Ivo Van Geertruyen of the Drupal Security Team

Fixed By:

Ivo Van Geertruyen of the Drupal Security Team
Raphaël Apard

Coordinated By:

Chris McCafferty of the Drupal Security Team
Ivo Van Geertruyen of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2022-033

Search form

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033