From 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Thu, 29 Nov 2012 16:54:29 -0500 Subject: Fix account editing and hijacking vulnerability Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/html/account.php | 11 ++++++++--- web/lib/acctfuncs.inc.php | 29 +++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 786ae026..cccdd76c 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "UpdateAccount") { - # user is submitting their modifications to an existing account - # - if (check_token()) { + $uid = uid_from_sid($_COOKIE['AURSID']); + + /* Details for account being updated */ + $acctinfo = account_details(in_request('ID'), in_request('U')); + + /* Verify user permissions and that the request is a valid POST */ + if (can_edit_account($atype, $acctinfo, $uid) && check_token()) { + /* Update the details for the existing account */ process_account_form($atype, "edit", "UpdateAccount", in_request("U"), in_request("T"), in_request("S"), in_request("E"), in_request("P"), in_request("C"), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 3fd23ae4..81e06b6a 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) { $q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")"; $result = $dbh->exec($q); } + +/** + * Verify a user has the proper permissions to edit an account + * + * @param string $atype Account type of the editing user + * @param array $acctinfo User account information for edited account + * @param int $uid User ID of the editing user + * + * @return bool True if permission to edit the account, otherwise false + */ +function can_edit_account($atype, $acctinfo, $uid) { + /* Developers can edit any account */ + if ($atype == 'Developer') { + return true; + } + + /* Trusted Users can edit all accounts except Developer accounts */ + if ($atype == 'Trusted User' && + $acctinfo['AccountType'] != 'Developer') { + return true; + } + + /* Users can edit only their own account */ + if ($acctinfo['ID'] == $uid) { + return true; + } + + return false; +} -- cgit v1.2.3-24-g4f1b From ec332bb7e6fcc589fb4c2cd3f4955768418feaeb Mon Sep 17 00:00:00 2001 From: canyonknight Date: Thu, 29 Nov 2012 16:54:30 -0500 Subject: Fix account privilege escalation vulnerability A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 81e06b6a..a41659ee 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -145,8 +145,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("The PGP key fingerprint is invalid."); } - if ($UTYPE == "Trusted User" && $T == 3) { - $error = __("A Trusted User cannot assign Developer status."); + if (($UTYPE == "User" && $T > 1) || ($UTYPE == "Trusted User" && $T > 2)) { + $error = __("Cannot increase account permissions."); } if (!$error && !array_key_exists($L, $SUPPORTED_LANGS)) { $error = __("Language is not currently supported."); -- cgit v1.2.3-24-g4f1b From 4187b2eb6501a9622c3e22e7b1eec755aa668b67 Mon Sep 17 00:00:00 2001 From: Marcel Korpel Date: Tue, 4 Dec 2012 17:29:59 +0000 Subject: systemd compatibility Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- INSTALL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index afab2749..1a410666 100644 --- a/INSTALL +++ b/INSTALL @@ -53,7 +53,7 @@ Setup on Arch Linux: 6) Configure MySQL - Start the MySQL service. Example: - # /etc/rc.d/mysqld start + # systemctl start mysqld - Create database # mysqladmin -p create AUR -- cgit v1.2.3-24-g4f1b From c1c3aef74a2fb3f39f97e9a2e8aea7230fc8859f Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 4 Dec 2012 22:37:25 +0000 Subject: INSTALL: Update required dummy data packages Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- INSTALL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 1a410666..047cfc44 100644 --- a/INSTALL +++ b/INSTALL @@ -72,7 +72,7 @@ Setup on Arch Linux: (give password 'aur' at the prompt) - Optionally load some test data for development purposes. - # pacman -S words mysql-python + # pacman -S words fortune-mod # cd ~/aur/support/schema/ # python gendummydata.py dummy-data.sql # bzip2 dummy-data.sql -- cgit v1.2.3-24-g4f1b From ce01cfebcca6f097e16d42a44248cebea7bfad71 Mon Sep 17 00:00:00 2001 From: Marcel Korpel Date: Wed, 5 Dec 2012 12:14:55 +0000 Subject: INSTALL: Current PHP has JSON support without extension Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- INSTALL | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/INSTALL b/INSTALL index 047cfc44..91aa3da1 100644 --- a/INSTALL +++ b/INSTALL @@ -44,12 +44,10 @@ Setup on Arch Linux: 5) Configure PHP Make sure you have mysql and json enabled in PHP. - - Edit php.ini and uncomment/add these lines: + - Edit php.ini and uncomment/add this line: extension=pdo_mysql.so - extension=json.so - If those php extensions are separate packages on your system, install - them. + If this PHP extension is a separate package on your system, install it. 6) Configure MySQL - Start the MySQL service. Example: -- cgit v1.2.3-24-g4f1b From 332875bbfeb15340b1d67a8f9382e67c4df52eab Mon Sep 17 00:00:00 2001 From: Marcel Korpel Date: Wed, 5 Dec 2012 16:49:46 +0000 Subject: INSTALL: Change # to $ where possible Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- INSTALL | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/INSTALL b/INSTALL index 91aa3da1..76df42b9 100644 --- a/INSTALL +++ b/INSTALL @@ -57,24 +57,24 @@ Setup on Arch Linux: # mysqladmin -p create AUR - Connect to the mysql client - # mysql -uroot -p AUR + $ mysql -uroot -p AUR - Issue the following commands to the mysql client mysql> GRANT ALL PRIVILEGES ON AUR.* to aur@localhost - > identified by 'aur'; + -> identified by 'aur'; mysql> FLUSH PRIVILEGES; mysql> quit - Load the schema file - # mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql + $ mysql -uaur -p AUR < ~/aur/support/schema/aur-schema.sql (give password 'aur' at the prompt) - Optionally load some test data for development purposes. # pacman -S words fortune-mod - # cd ~/aur/support/schema/ - # python gendummydata.py dummy-data.sql - # bzip2 dummy-data.sql - # bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR + $ cd ~/aur/support/schema/ + $ python gendummydata.py dummy-data.sql + $ bzip2 dummy-data.sql + $ bzcat dummy-data.sql.bz2 | mysql -uaur -p AUR (give password 'aur' at the prompt) If your test data consists of real people and real email addresses consider @@ -83,7 +83,7 @@ Setup on Arch Linux: mysql> UPDATE Users SET Email = RAND() * RAND(); 7) Copy the config.inc.php.proto file to config.inc.php. Modify as needed. - # cd ~/aur/web/lib/ - # cp config.inc.php.proto config.inc.php + $ cd ~/aur/web/lib/ + $ cp config.inc.php.proto config.inc.php 8) Point your browser to http://aur -- cgit v1.2.3-24-g4f1b