summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcanyonknight <canyonknight@gmail.com>2012-11-29 22:54:30 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2012-11-29 23:23:12 +0100
commitec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch)
tree711255e2e58daea2d7817a3e9026d219cefc519d
parent87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff)
downloadaur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.gz
aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz
Fix account privilege escalation vulnerability
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/lib/acctfuncs.inc.php4
1 files changed, 2 insertions, 2 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 81e06b6a..a41659ee 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("The PGP key fingerprint is invalid.");
}
- if ($UTYPE == "Trusted User" && $T == 3) {
- $error = __("A Trusted User cannot assign Developer status.");
+ if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) {
+ $error = __("Cannot increase account permissions.");
}
if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
$error = __("Language is not currently supported.");