From 2e2a22ee5aafa28771f87c108edea024b618a8d5 Mon Sep 17 00:00:00 2001 From: Mightyhaggis Date: Sun, 27 Mar 2016 19:25:54 +0100 Subject: [PATCH] User security fix Fix to resolve #405 by adding a check that compares POST id with SESSION id for none admin edits --- plugins/box/users/users.plugin.php | 45 +++++++++++++++++------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/plugins/box/users/users.plugin.php b/plugins/box/users/users.plugin.php index 2ff9a2a..b41520c 100644 --- a/plugins/box/users/users.plugin.php +++ b/plugins/box/users/users.plugin.php @@ -228,27 +228,32 @@ class Users extends Frontend // Check csrf if (Security::check(Request::post('csrf'))) { - - if (Security::safeName(Request::post('login')) != '') { - if (Users::$users->update(Request::post('user_id'), - array('login' => Security::safeName(Request::post('login')), - 'firstname' => Request::post('firstname'), - 'lastname' => Request::post('lastname'), - 'email' => Request::post('email'), - 'skype' => Request::post('skype'), - 'about_me' => Request::post('about_me'), - 'twitter' => Request::post('twitter')))) { - - // Change password - if (trim(Request::post('new_password')) != '') { - Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password'))))); + + // Check for POST data manipulation + if( ((int) Session::get('user_id') == (int) Request::post('user_id')) or (in_array(Session::get('user_role'), array('admin'))) ) { + + if (Security::safeName(Request::post('login')) != '') { + if (Users::$users->update(Request::post('user_id'), + array('login' => Security::safeName(Request::post('login')), + 'firstname' => Request::post('firstname'), + 'lastname' => Request::post('lastname'), + 'email' => Request::post('email'), + 'skype' => Request::post('skype'), + 'about_me' => Request::post('about_me'), + 'twitter' => Request::post('twitter')))) { + + // Change password + if (trim(Request::post('new_password')) != '') { + Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password'))))); + } + + Notification::set('success', __('Your changes have been saved.', 'users')); + Request::redirect(Site::url().'/users/'.$user['id']); } - - Notification::set('success', __('Your changes have been saved.', 'users')); - Request::redirect(Site::url().'/users/'.$user['id']); - } - } else { } - + } else { } + + } else { die('Monstra says: This is not your profile...'); } + } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); } }