diff options
author | canyonknight <canyonknight@gmail.com> | 2012-11-29 22:54:30 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-29 23:23:12 +0100 |
commit | ec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch) | |
tree | 711255e2e58daea2d7817a3e9026d219cefc519d | |
parent | 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff) | |
download | aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.gz aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz |
Fix account privilege escalation vulnerability
A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account
permissions.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/lib/acctfuncs.inc.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 81e06b6a..a41659ee 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); |