MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Password confirmation bypass in user edit 

- optional password confirmation can be potentially circumvented
- fooling the user edit via a request that sets accept:application/json whilst posting form content

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
pull/8063/merge
iglocska 2022-04-18 02:00:13 +02:00
parent ce6bc88e33
commit 01120163a6
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controller/UsersController.php
View File

@ -154,7 +154,7 @@ class UsersController extends AppController
}
}
}
if (!$abortPost && !$this->_isRest()) {
if (!$abortPost && (!$this->_isRest() || empty($this->request->header('Authorization')))) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
@ -853,7 +853,7 @@ class UsersController extends AppController
$this->request->data['User'] = $this->request->data;
}
$abortPost = false;
if (!$this->_isRest()) {
if (!$this->_isRest() || empty($this->request->header('Authorization'))) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);