diff options
author | canyonknight <canyonknight@gmail.com> | 2012-11-29 16:54:29 -0500 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-29 23:23:10 +0100 |
commit | 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (patch) | |
tree | ad30778e7fcb34c6f71cf0ad7d9104f84e2a398e /scripts/aurblup/README | |
parent | e383205edabff92f7f7c7750cd0038774c823c6b (diff) | |
download | aurweb-87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9.tar.xz |
Fix account editing and hijacking vulnerability
Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.
This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.
Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'scripts/aurblup/README')
0 files changed, 0 insertions, 0 deletions