Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Password confirmation bypass in user edit
- optional password confirmation can be potentially circumvented
- fooling the user edit via a request that sets accept:application/json whilst posting form content

- as reported by Dawid Czarnecki of Zigrin Security on behalf of the Luxembourg Army
  • Loading branch information
iglocska committed Apr 18, 2022
1 parent ce6bc88 commit 0112016
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/Controller/UsersController.php
Expand Up @@ -154,7 +154,7 @@ public function edit()
}
}
}
if (!$abortPost && !$this->_isRest()) {
if (!$abortPost && (!$this->_isRest() || empty($this->request->header('Authorization')))) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
Expand Down Expand Up @@ -853,7 +853,7 @@ public function admin_edit($id = null)
$this->request->data['User'] = $this->request->data;
}
$abortPost = false;
if (!$this->_isRest()) {
if (!$this->_isRest() || empty($this->request->header('Authorization'))) {
if (Configure::read('Security.require_password_confirmation')) {
if (!empty($this->request->data['User']['current_password'])) {
$hashed = $this->User->verifyPassword($this->Auth->user('id'), $this->request->data['User']['current_password']);
Expand Down

0 comments on commit 0112016

Please sign in to comment.