[
https://issues.apache.org/jira/browse/VCL-467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Thompson updated VCL-467:
------------------------------
Fix Version/s: 2.2.2
> Members of a group from one affiliation have access to groups with the same
> name from other affiliations
> --------------------------------------------------------------------------------------------------------
>
> Key: VCL-467
> URL: https://issues.apache.org/jira/browse/VCL-467
> Project: VCL
> Issue Type: Bug
> Components: web gui (frontend)
> Affects Versions: 2.2, 2.2.1
> Environment: PHP 5.1 on CentOS 5.5
> Reporter: Aaron Coburn
> Assignee: Josh Thompson
> Labels: security
> Fix For: 2.2.2, 2.3
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> A user with permission to edit a certain group for a certain affiliation has
> access to the groups with the same name from other affiliations. For
> instance, if a user is a member of admin@EXAMPLE1 and therefore can modify
> the group All users@EXAMPLE1, it turns out that the user can also modify the
> group All users@EXAMPLE2 and potentially also admin@EXAMPLE2. The reason for
> this is that the permissions check in the PHP code is based on group name
> rather than group ID. This appears to only affect the "Manage Groups" page
> and the "Privileges" page.
> I have included patches that check the value of 'editgroupid' rather than
> just 'editgroup', thereby comparing unique IDs rather than possibly
> non-unique names.
> The .ht-inc/groups.php page can be fixed with this patch:
> 137,138c137,138
> < if(array_key_exists("editgroup", $usergroups[$id]) &&
> < in_array($usergroups[$id]["editgroup"], $user["groups"]))
> ---
> > if(array_key_exists("editgroupid", $usergroups[$id]) &&
> > array_key_exists($usergroups[$id]["editgroupid"],
> > $user["groups"]))
> The .ht-inc/privileges.php page can be fixed with this patch:
> 1715c1715,1716
> < . "g2.name AS editgroup "
> ---
> > . "g2.name AS editgroup, "
> > . "g2.editusergroupid AS editgroupid "
> 1727c1728
> < if($grpdata["ownerid"] != $user["id"] && !
> (in_array($grpdata["editgroup"], $user["groups"]))) {
> ---
> > if($grpdata["ownerid"] != $user["id"] && !
> > (array_key_exists($grpdata["editgroupid"], $user["groups"]))) {
> 2592c2593
> < foreach($_user["groups"] as $groupname) {
> ---
> > foreach($_user["groups"] as $groupid => $groupname) {
> 2594,2600c2595,2604
> < # (has cascaded $priv && ! have block at this node) return 1
> < if((array_key_exists($groupname, $privs["usergroups"]) &&
> < in_array($priv, $privs["usergroups"][$groupname]['privs']))
> ||
> < ((array_key_exists($groupname, $cascadePrivs["usergroups"])
> &&
> < in_array($priv,
> $cascadePrivs["usergroups"][$groupname]['privs'])) &&
> < (! array_key_exists($groupname, $privs["usergroups"]) ||
> < ! in_array("block",
> $privs["usergroups"][$groupname]['privs'])))) {
> ---
> > # (has cascaded $priv && ! have block at this node) return 1
> > if((array_key_exists($groupname, $privs["usergroups"]) &&
> > $groupid == $privs["usergroups"][$groupname]['id'] &&
> > in_array($priv, $privs["usergroups"][$groupname]['privs'])) ||
> > ((array_key_exists($groupname, $cascadePrivs["usergroups"]) &&
> > $groupid == $cascadePrivs["usergroups"][$groupname]['id'] &&
> > in_array($priv,
> > $cascadePrivs["usergroups"][$groupname]['privs'])) &&
> > (! array_key_exists($groupname, $privs["usergroups"]) ||
> > (! in_array("block", $privs["usergroups"][$groupname]['privs'])
> > &&
> > $privs["usergroups"][$groupname]['id'] == $groupid)))) {
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
