Project

General

Profile

Actions
Copy link

Bug #2381

closed

Wrong authorization check

Added by beat about 14 years ago. Updated about 14 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
beat
Target version:
2.0
Start date:
08 March 2011
Due date:
% Done:

100%

Estimated time:

Description

This authorization check does not work correctly:

    private function saveCategoryEdit( $id, $user, $plugin ) {
...

        $row                        =    new cbgjCategory( $_CB_database );

        if ( $id ) {
            $row->load( $id );
        }

        $authorized                    =    cbgjClass::getAuthorization( $row, null, $row->user_id );

        if ( in_array( 'cat_create', $authorized ) || in_array( 'mod_lvl1', $authorized ) ) {

It checks that the owner of the category has right to save, and not the saving logged-in user. This means that anyone can save any category by giving its id, which is a vuln.

Please review all authorizations to WHOM the check is made. Actually, probably you want to check against the logged-in user all the time, and not pass the user id to the getAuthorization() function ?

#3

Updated by krileon about 14 years ago

  • Status changed from New to Feedback
  • Assignee changed from krileon to beat
#4

Updated by beat about 14 years ago

  • Status changed from Feedback to Assigned
  • Assignee changed from beat to krileon
#5

Updated by krileon about 14 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from krileon to beat
#6

Updated by beat about 14 years ago

  • Status changed from Feedback to Rejected
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF