external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/web/html
History
canyonknight 87fe4701cd Fix account editing and hijacking vulnerability 
Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.

This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.

Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29 23:23:10 +01:00
..
css Implement word-wrap for package statistics 2012-10-28 02:17:54 +02:00
images Remove unused image "titlelogo.png" 2012-09-18 00:59:01 +02:00
404.php Display an error page if a virtual path doesn't exist 2012-10-20 18:28:17 +02:00
account.php Fix account editing and hijacking vulnerability 2012-11-29 23:23:10 +01:00
addvote.php Avoid use of "<b>"/"</b>" 2012-09-24 12:23:05 +02:00
home.php Add missing internationalization to a few strings 2012-11-04 17:08:31 +01:00
index.php Return 404 for invalid account/package subpages 2012-10-30 14:56:43 +01:00
login.php login.php: Properly link to logout page when already logged in 2012-11-24 13:20:35 +01:00
logout.php logout.php: Fix PHP undefined variable notice 2012-09-18 00:58:55 +02:00
packages.php Use echo shortcut syntax 2012-09-24 12:23:04 +02:00
passreset.php Use HTTPS links everywhere for Arch sites 2012-10-22 12:33:11 +02:00
pkgdel.php Move package deletion to a separate page 2012-09-28 08:57:24 +02:00
pkgmerge.php Move package merging to a separate page 2012-09-28 08:57:25 +02:00
pkgsubmit.php pkgsubmit.php: Show a warning for split packages 2012-11-04 18:03:18 +01:00
rpc.php Provide more examples on the RPC info page 2011-08-22 08:24:21 +02:00
rss.php rss.php: Update links to reflect URL changes 2012-09-21 07:35:52 +02:00
tu.php tu.php: Fix page showing a user hasn't voted when they have 2012-10-10 17:22:22 +02:00
voters.php Use echo shortcut syntax 2012-09-24 12:23:04 +02:00