diff options
author | canyonknight <canyonknight@gmail.com> | 2012-11-29 16:54:30 -0500 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-29 23:23:12 +0100 |
commit | ec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch) | |
tree | 711255e2e58daea2d7817a3e9026d219cefc519d /web/html/logout.php | |
parent | 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff) | |
download | aurweb-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz |
Fix account privilege escalation vulnerability
A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account
permissions.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/html/logout.php')
0 files changed, 0 insertions, 0 deletions