summaryrefslogtreecommitdiffstats
path: root/TODO
diff options
context:
space:
mode:
authorcanyonknight <canyonknight@gmail.com>2012-11-29 16:54:29 -0500
committerLukas Fleischer <archlinux@cryptocrack.de>2012-11-29 23:23:10 +0100
commit87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (patch)
treead30778e7fcb34c6f71cf0ad7d9104f84e2a398e /TODO
parente383205edabff92f7f7c7750cd0038774c823c6b (diff)
downloadaurweb-87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9.tar.xz
Fix account editing and hijacking vulnerability
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'TODO')
0 files changed, 0 insertions, 0 deletions