[SECURITY] Fixed exploit in token types
Fixes an exploit due to missing check of token type used. Fixes #1118 once merged.
This commit is contained in:
Sebastian Grewe
parent
0852f61ab3
commit
b16d9afcad
@ -117,7 +117,7 @@ class Invitation extends Base {
|
||||
$aData['username'] = $this->user->getUserName($account_id);
|
||||
$aData['subject'] = 'Pending Invitation';
|
||||
if ($this->mail->sendMail('invitations/body', $aData)) {
|
||||
$aToken = $this->token->getToken($aData['token']);
|
||||
$aToken = $this->token->getToken($aData['token'], 'invitation');
|
||||
if (!$this->createInvitation($account_id, $aData['email'], $aToken['id']))
|
||||
return false;
|
||||
return true;
|
||||
|
||||
@ -11,7 +11,11 @@ class Token Extends Base {
|
||||
* @param name string Setting name
|
||||
* @return value string Value
|
||||
**/
|
||||
public function getToken($strToken) {
|
||||
public function getToken($strToken, $strType=NULL) {
|
||||
if (empty($strType) || ! $iToken_id = $this->tokentype->getTypeId($strType)) {
|
||||
$this->setErrorMessage('Invalid token type: ' . $strType);
|
||||
return false;
|
||||
}
|
||||
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE token = ? LIMIT 1");
|
||||
if ($stmt && $stmt->bind_param('s', $strToken) && $stmt->execute() && $result = $stmt->get_result())
|
||||
return $result->fetch_assoc();
|
||||
|
||||
@ -491,7 +491,10 @@ class User extends Base {
|
||||
return false;
|
||||
}
|
||||
if (isset($strToken) && !empty($strToken)) {
|
||||
$aToken = $this->token->getToken($strToken);
|
||||
if ( ! $aToken = $this->token->getToken($strToken, 'invitation')) {
|
||||
$this->setErrorMessage('Unable to find token');
|
||||
return false;
|
||||
}
|
||||
// Circle dependency, so we create our own object here
|
||||
$invitation = new Invitation();
|
||||
$invitation->setMysql($this->mysqli);
|
||||
@ -567,7 +570,7 @@ class User extends Base {
|
||||
**/
|
||||
public function resetPassword($token, $new1, $new2) {
|
||||
$this->debug->append("STA " . __METHOD__, 4);
|
||||
if ($aToken = $this->token->getToken($token)) {
|
||||
if ($aToken = $this->token->getToken($token, 'password_reset')) {
|
||||
if ($new1 !== $new2) {
|
||||
$this->setErrorMessage( 'New passwords do not match' );
|
||||
return false;
|
||||
@ -588,7 +591,7 @@ class User extends Base {
|
||||
$this->setErrorMessage('Unable to set new password');
|
||||
}
|
||||
} else {
|
||||
$this->setErrorMessage('Invalid token');
|
||||
$this->setErrorMessage('Invalid token: ' . $this->token->getError());
|
||||
}
|
||||
$this->debug->append('Failed to update password:' . $this->mysqli->error);
|
||||
return false;
|
||||
|
||||
@ -6,8 +6,8 @@ if (!defined('SECURITY')) die('Hacking attempt');
|
||||
// Confirm an account by token
|
||||
if (!isset($_GET['token']) || empty($_GET['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
|
||||
} else if (!$aToken = $oToken->getToken($_GET['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token', 'TYPE' => 'errormsg');
|
||||
} else if (!$aToken = $oToken->getToken($_GET['token'], 'confirm_email')) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token.', 'TYPE' => 'errormsg');
|
||||
} else {
|
||||
$user->changeLocked($aToken['account_id']);
|
||||
$oToken->deleteToken($aToken['token']);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user