From ec332bb7e6fcc589fb4c2cd3f4955768418feaeb Mon Sep 17 00:00:00 2001
From: canyonknight <canyonknight@gmail.com>
Date: Thu, 29 Nov 2012 16:54:30 -0500
Subject: Fix account privilege escalation vulnerability

A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.

Add check so that all users cannot increase their own account
permissions.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/acctfuncs.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'web')

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 81e06b6..a41659e 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		$error = __("The PGP key fingerprint is invalid.");
 	}
 
-	if ($UTYPE == "Trusted User" && $T == 3) {
-		$error = __("A Trusted User cannot assign Developer status.");
+	if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) {
+		$error = __("Cannot increase account permissions.");
 	}
 	if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
 		$error = __("Language is not currently supported.");
-- 
cgit v1.2.3-54-g00ecf