diff options
| author | canyonknight <canyonknight@gmail.com> | 2012-11-29 16:54:30 -0500 |
|---|---|---|
| committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-29 23:23:12 +0100 |
| commit | ec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch) | |
| tree | 711255e2e58daea2d7817a3e9026d219cefc519d | |
| parent | 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff) | |
| download | aurweb-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz | |
Fix account privilege escalation vulnerability
A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account
permissions.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
| -rw-r--r-- | web/lib/acctfuncs.inc.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 81e06b6..a41659e 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); |