Fix account privilege escalation vulnerability

A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
author: canyonknight <canyonknight@gmail.com> 2012-11-29 22:54:30 +0100
committer: Lukas Fleischer <archlinux@cryptocrack.de> 2012-11-29 23:23:12 +0100
commit: ec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch)
tree: 711255e2e58daea2d7817a3e9026d219cefc519d /web/lib
parent: 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff)
download: aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.gz
aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 81e06b6a..a41659ee 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
 		$error = __("The PGP key fingerprint is invalid.");
 	}
 
-	if ($UTYPE == "Trusted User" && $T == 3) {
-		$error = __("A Trusted User cannot assign Developer status.");
+	if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) {
+		$error = __("Cannot increase account permissions.");
 	}
 	if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) {
 		$error = __("Language is not currently supported.");
author	canyonknight <canyonknight@gmail.com>	2012-11-29 22:54:30 +0100
committer	Lukas Fleischer <archlinux@cryptocrack.de>	2012-11-29 23:23:12 +0100
commit	ec332bb7e6fcc589fb4c2cd3f4955768418feaeb (patch)
tree	711255e2e58daea2d7817a3e9026d219cefc519d /web/lib
parent	87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 (diff)
download	aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.gz aur-ec332bb7e6fcc589fb4c2cd3f4955768418feaeb.tar.xz