Project

General

Profile

Actions

Bug #2381

closed

Wrong authorization check

Added by beat over 13 years ago. Updated over 13 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Start date:
08 March 2011
Due date:
% Done:

100%

Estimated time:

Description

This authorization check does not work correctly:

    private function saveCategoryEdit( $id, $user, $plugin ) {
...

        $row                        =    new cbgjCategory( $_CB_database );

        if ( $id ) {
            $row->load( $id );
        }

        $authorized                    =    cbgjClass::getAuthorization( $row, null, $row->user_id );

        if ( in_array( 'cat_create', $authorized ) || in_array( 'mod_lvl1', $authorized ) ) {

It checks that the owner of the category has right to save, and not the saving logged-in user. This means that anyone can save any category by giving its id, which is a vuln.

Please review all authorizations to WHOM the check is made. Actually, probably you want to check against the logged-in user all the time, and not pass the user id to the getAuthorization() function ?

Actions

Also available in: Atom PDF