Enabling the overlay module for anonymous: Security risks

Events happening in the community are now at Drupal community events on www.drupal.org.
cubeinspire's picture
Posted by cubeinspire on October 21, 2012 at 8:03pm

Hi,

I'm reviewing a sandbox project for Drupal7 called Overlay Links that encourage to enable the overlay module for anonymous users.
review comment: http://drupal.org/node/1811482#comment-6609236

I've read on some blog that doing this have security concerns, but there was no more details about that.
blog link: http://www.drupalgardens.com/documentation/site-management/admin-theme

Do you have any details about the security implications of enabling the permission Access the administrative overlay to anonymous users ?

Categories: ,

Comments

I'm not sure why overlay and

Posted by greggles on October 22, 2012 at 6:04am
greggles's picture

I'm not sure why overlay and admin functions are lumped together. I'm not aware of any security issues (though I haven't looked into it). Did you try enabling overlay for an authenticated role and poke around on a site?

knaddison blog | Morris Animal Foundation

Overlay pokes

Posted by cubeinspire on October 24, 2012 at 8:15pm
cubeinspire's picture

Well I activated it and tried 2 or 3 things but I didn't passed hours trying to hack it.

cube inspire - web design and web development solutions !

Hello, I'm the author of

Posted by bserem on October 22, 2012 at 10:43am
bserem's picture

Hello, I'm the author of Overlay Userlinks, the module in discussion. I'm replying here, mainly in order to follow this conversation.

After a suggestion by logicdesign I've done some research about possible security issues.
The reported exploit I could find is this: http://exploitsdownload.com/exploit/na/drupal-cms-712-cross-site-request...
and it didn't do anything on a Drupal 7.15 installation. I've tried it with my module enabled and access to overlay by anonymous users.
This is the only thing I could find where an exploit uses the overlay in its code to do bad things.

I've also documented the situation in the readme file of course, but I would like to be aware of any security issues that might arise with my module.

Logicdesign thank you for your support in this and for your digging for information, your help is very valuable to me.

ps: I would like to add that I do not encourage people to enable overlay to anonymous users, I simply state that there might be some security issues :)

Bill Seremetis
http://srm.gr - working with Drupal in Greece

Overlay for Anonymous

Posted by cubeinspire on October 24, 2012 at 8:50pm
cubeinspire's picture

Glad I can be of some support for you !
I think we can trust greggles experience by now, but it would be very positive if you keep tracking this post and looking for info about this possible security issue.

cube inspire - web design and web development solutions !

I'm keep the exploits listing

Posted by bserem on October 24, 2012 at 8:55pm
bserem's picture

I'm keep the exploits listing site I posted above in close watch (I hope I said that correctly in the English language).

I have in mind several things I'd like to do with the Overlay module, so these security concers concern me too :)

Bill Seremetis
http://srm.gr - working with Drupal in Greece

Belgian Drupal Community

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: