VYPR
← All advisories
Moderate severityOSV Advisory· Published Apr 17, 2019· Updated Aug 5, 2024

CVE-2018-20028

CVE-2018-20028

Description

Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
contao/contaoPackagist
>= 3.0.0, < 3.5.373.5.37
contao/contaoPackagist
>= 4.6.0, < 4.6.114.6.11
contao/contaoPackagist
>= 4.4.0, < 4.4.314.4.31

Affected products

1

Patches

1
bbe5fe1d385c

Prevent information disclosure through incorrect access control in the back end (see CVE-2018-20028)

https://github.com/contao/contaoLeo FeyerDec 13, 2018via ghsa
commit
12 files changed · +66 23
  • calendar-bundle/src/Resources/contao/dca/tl_calendar_events.php+5 2 modified
    @@ -572,7 +572,11 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!\in_array($id, $root))
+				{
+					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access calendar ID ' . $id . '.');
+				}
 				break;
 
 			case 'create':
@@ -609,7 +613,6 @@ public function checkPermission()
 				}
 				break;
 
-			case 'select':
 			case 'editAll':
 			case 'deleteAll':
 			case 'overrideAll':
  • calendar-bundle/src/Resources/contao/dca/tl_content.php+1 4 modified
    @@ -59,11 +59,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the news item
  • CHANGELOG.md+4 0 modified
    @@ -1,5 +1,9 @@
 # Change log
 
+## DEV
+
+ * Prevent information disclosure through incorrect access control in the back end (see CVE-2018-20028).
+
 ## 4.4.30 (2018-12-04)
 
  * Fix a compatibility issue with Doctrine DBAL 2.9 (see #212).
  • core-bundle/src/Resources/contao/dca/tl_article.php+10 1 modified
    @@ -376,7 +376,16 @@ public function checkPermission()
 		$GLOBALS['TL_DCA']['tl_page']['fields']['cgroup']['default'] = (int) Config::get('defaultGroup') ?: (int) $this->User->groups[0];
 
 		// Restrict the page tree
-		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $this->User->pagemounts;
+		if (empty($this->User->pagemounts) || !\is_array($this->User->pagemounts))
+		{
+			$root = array(0);
+		}
+		else
+		{
+			$root = $this->User->pagemounts;
+		}
+
+		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $root;
 
 		// Set allowed page IDs (edit multiple)
 		if (\is_array($session['CURRENT']['IDS']))
  • core-bundle/src/Resources/contao/dca/tl_content.php+1 4 modified
    @@ -888,11 +888,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the article
  • core-bundle/src/Resources/contao/dca/tl_form_field.php+5 2 modified
    @@ -462,11 +462,14 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!\in_array($id, $root))
+				{
+					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access form ID ' . $id . '.');
+				}
 				break;
 
 			case 'create':
-			case 'select':
 				if (!\strlen(Input::get('id')) || !\in_array(Input::get('id'), $root))
 				{
 					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access form ID ' . Input::get('id') . '.');
  • core-bundle/src/Resources/contao/dca/tl_page.php+10 1 modified
    @@ -713,7 +713,16 @@ public function checkPermission()
 		$GLOBALS['TL_DCA']['tl_page']['fields']['cgroup']['default'] = (int) Config::get('defaultGroup') ?: (int) $this->User->groups[0];
 
 		// Restrict the page tree
-		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $this->User->pagemounts;
+		if (empty($this->User->pagemounts) || !\is_array($this->User->pagemounts))
+		{
+			$root = array(0);
+		}
+		else
+		{
+			$root = $this->User->pagemounts;
+		}
+
+		$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $root;
 
 		// Set allowed page IDs (edit multiple)
 		if (\is_array($session['CURRENT']['IDS']))
  • core-bundle/src/Resources/contao/drivers/DC_Table.php+16 1 modified
    @@ -229,7 +229,14 @@ public function __construct($strTable, $arrModule=array())
 			// Get root records from global configuration file
 			elseif (\is_array($GLOBALS['TL_DCA'][$table]['list']['sorting']['root']))
 			{
-				$this->root = $this->eliminateNestedPages($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'], $table, $this->Database->fieldExists('sorting', $table));
+				if ($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'] == array(0))
+				{
+					$this->root = array(0);
+				}
+				else
+				{
+					$this->root = $this->eliminateNestedPages($GLOBALS['TL_DCA'][$table]['list']['sorting']['root'], $table, $this->Database->fieldExists('sorting', $table));
+				}
 			}
 		}
 
@@ -5522,6 +5529,14 @@ protected function filterMenu($intFilterPanel)
 				}
 			}
 
+			$table = ($GLOBALS['TL_DCA'][$this->strTable]['list']['sorting']['mode'] == 6) ? $this->ptable : $this->strTable;
+
+			// Limit the options if there are root records
+			if (isset($GLOBALS['TL_DCA'][$table]['list']['sorting']['root']) && $GLOBALS['TL_DCA'][$table]['list']['sorting']['root'] !== false)
+			{
+				$arrProcedure[] = "id IN(" . implode(',', array_map('\intval', $GLOBALS['TL_DCA'][$table]['list']['sorting']['root'])) . ")";
+			}
+
 			$objFields = $this->Database->prepare("SELECT DISTINCT " . $what . " FROM " . $this->strTable . ((\is_array($arrProcedure) && \strlen($arrProcedure[0])) ? ' WHERE ' . implode(' AND ', $arrProcedure) : ''))
 										->execute($arrValues);
  • news-bundle/src/Resources/contao/dca/tl_content.php+1 4 modified
    @@ -59,11 +59,8 @@ public function checkPermission()
 		// Check the current action
 		switch (Input::get('act'))
 		{
-			case 'paste':
-				// Allow
-				break;
-
 			case '': // empty
+			case 'paste':
 			case 'create':
 			case 'select':
 				// Check access to the news item
  • news-bundle/src/Resources/contao/dca/tl_news.php+5 2 modified
    @@ -526,7 +526,11 @@ public function checkPermission()
 		switch (Input::get('act'))
 		{
 			case 'paste':
-				// Allow
+			case 'select':
+				if (!\in_array($id, $root))
+				{
+					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access news archive ID ' . $id . '.');
+				}
 				break;
 
 			case 'create':
@@ -582,7 +586,6 @@ public function checkPermission()
 				}
 				break;
 
-			case 'select':
 			case 'editAll':
 			case 'deleteAll':
 			case 'overrideAll':
  • newsletter-bundle/src/Resources/contao/dca/tl_newsletter.php+4 1 modified
    @@ -309,7 +309,10 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				// Allow
+				if (!\in_array($id, $root))
+				{
+					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access newsletter channel ID ' . $id . '.');
+				}
 				break;
 
 			case 'create':
  • newsletter-bundle/src/Resources/contao/dca/tl_newsletter_recipients.php+4 1 modified
    @@ -237,7 +237,10 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				// Allow
+				if (!\in_array($id, $root))
+				{
+					throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access newsletter channel ID ' . $id . '.');
+				}
 				break;
 
 			case 'create':

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.