From 87fe4701cd2e84c70c080eade1c2a0f1ffa3c6d9 Mon Sep 17 00:00:00 2001
From: canyonknight <canyonknight@gmail.com>
Date: Thu, 29 Nov 2012 16:54:29 -0500
Subject: Fix account editing and hijacking vulnerability

Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.

This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.

Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/account.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'web/html')

diff --git a/web/html/account.php b/web/html/account.php
index 786ae026..cccdd76c 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "UpdateAccount") {
-		# user is submitting their modifications to an existing account
-		#
-		if (check_token()) {
+		$uid = uid_from_sid($_COOKIE['AURSID']);
+
+		/* Details for account being updated */
+		$acctinfo = account_details(in_request('ID'), in_request('U'));
+
+		/* Verify user permissions and that the request is a valid POST */
+		if (can_edit_account($atype, $acctinfo, $uid) && check_token()) {
+			/* Update the details for the existing account */
 			process_account_form($atype, "edit", "UpdateAccount",
 					in_request("U"), in_request("T"), in_request("S"),
 					in_request("E"), in_request("P"), in_request("C"),
-- 
cgit v1.2.3-24-g4f1b