[aur-dev] [PATCH] Fix account editing and hijacking vulnerability

[canyonknight]

Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.

This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.

Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.

Signed-off-by: canyonknight <canyonknight at gmail.com>
Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---

Already applied to maint branch and aur.archlinux.org setup.
Anyone using a custom AUR setup should apply this patch.

 web/html/account.php      | 11 ++++++++---
 web/lib/acctfuncs.inc.php | 29 +++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/web/html/account.php b/web/html/account.php
index 786ae02..cccdd76 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -73,9 +73,14 @@ if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "UpdateAccount") {
-		# user is submitting their modifications to an existing account
-		#
-		if (check_token()) {
+		$uid = uid_from_sid($_COOKIE['AURSID']);
+
+		/* Details for account being updated */
+		$acctinfo = account_details(in_request('ID'), in_request('U'));
+
+		/* Verify user permissions and that the request is a valid POST */
+		if (can_edit_account($atype, $acctinfo, $uid) && check_token()) {
+			/* Update the details for the existing account */
 			process_account_form($atype, "edit", "UpdateAccount",
 					in_request("U"), in_request("T"), in_request("S"),
 					in_request("E"), in_request("P"), in_request("C"),
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 3fd23ae..81e06b6 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -1015,3 +1015,32 @@ function cast_proposal_vote($voteid, $uid, $vote, $newtotal, $dbh=NULL) {
 	$q = "INSERT INTO TU_Votes (VoteID, UserID) VALUES (" . intval($voteid) . ", " . intval($uid) . ")";
 	$result = $dbh->exec($q);
 }
+
+/**
+ * Verify a user has the proper permissions to edit an account
+ *
+ * @param string $atype Account type of the editing user
+ * @param array $acctinfo User account information for edited account
+ * @param int $uid User ID of the editing user
+ *
+ * @return bool True if permission to edit the account, otherwise false
+ */
+function can_edit_account($atype, $acctinfo, $uid) {
+	/* Developers can edit any account */
+	if ($atype == 'Developer') {
+		return true;
+	}
+
+	/* Trusted Users can edit all accounts except Developer accounts */
+	if ($atype == 'Trusted User' &&
+		$acctinfo['AccountType'] != 'Developer') {
+			return true;
+	}
+
+	/* Users can edit only their own account */
+	if ($acctinfo['ID'] == $uid) {
+		return true;
+	}
+
+	return false;
+}
-- 
1.8.0.1