search

glFusion / glfusion

glFusion CMS - Advanced Content Management with Style
https://www.glfusion.org
GNU General Public License v2.0
14 stars 15 forks source link

Arbitrary user impersonation vulnerability #482

Closed Topsec-bunney closed 2 years ago

Topsec-bunney commented 2 years ago

In the article comments,We can impersonate any user to comment,You can even impersonate a system administrator chrome_KydmsyhHuD chrome_MGW6ahjcFD chrome_HMpO3sqwgm

mark0263 commented 2 years ago

Thanks for the report. This seems pretty straight forward to fix, there is an existing UniqueName call that will query the user table to determine if a username already exists, if it does, it will add a random 4 digit number to the end of the username. So in your example, Admin would become Admin6823.

Does the community feel this is an appropriate method to prevent the impersonation?

Topsec-bunney commented 2 years ago

Yes, the method you said can solve this problem

leegarner commented 2 years ago

I'd go a step further and restrict some names. This could even be a global configuration array, like $_CONF['disallowed_names'] = array('admin', 'root', 'supervisor', 'manager', 'service',); ... and admins could add any other names that might be used to spoof some authoritative user.

The same list could be used to restrict the login names chosen during signup (now I'm thinking something like this might be in place already...). Root users could still create special accounts with these names if desired. Only user-entered names, e.g. by Anonymous, would be checked against the list. Obviously the actual logged-in user "Admin" could post. We couldn't catch everything, the username is a free text field so "System Admin" could get through. Displaying (Anonymous) next to the user-entered name on anon posts could mitigate that also.

On Wed, Dec 8, 2021 at 5:48 AM Topsec_bunney @.***> wrote:

Yes, the method you said can solve this problem

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/glFusion/glfusion/issues/482#issuecomment-988829293, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYLFOJJIPE2ATWISSCOH33UP5O3DANCNFSM5JTFKF5Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.