Skip to content
Permalink
Browse files Browse the repository at this point in the history
security: [user] Fixing disclosure of roles name to non-site admin us…
…ers and ensure user edit applies the restricted_to_site_admin option

This vulnerability with a default MISP installation without additional roles is disclosing list of role name which were restricted to the site admin. This commit fixes this disclosure vulnerability.

In addition for MISP installation with custom roles, an org admin user could create a user assigned to new custom roles which were restricted to site admin. This could lead to the access of complementary permissions (except site admin, org admin and sync actions).

Credits: CIRCL
  • Loading branch information
mokaddem committed Oct 6, 2022
1 parent 10def31 commit 934b9cd
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions app/Controller/UsersController.php
Expand Up @@ -620,7 +620,7 @@ public function admin_add()
{
$params = null;
if (!$this->_isSiteAdmin()) {
$params = array('conditions' => array('perm_site_admin !=' => 1, 'perm_sync !=' => 1, 'perm_regexp_access !=' => 1));
$params = array('conditions' => array('perm_site_admin !=' => 1, 'perm_sync !=' => 1, 'perm_regexp_access !=' => 1, 'restricted_to_site_admin' => 0));
}
$this->loadModel('AdminSetting');
$default_role_id = $this->AdminSetting->getSetting('default_role');
Expand Down Expand Up @@ -950,7 +950,16 @@ public function admin_edit($id = null)
$chosenRole = $this->User->Role->find('first', [
'conditions' => ['id' => $this->request->data['User']['role_id']],
]);
if (empty($chosenRole) || (($chosenRole['Role']['id'] != $allowedRole) && ($chosenRole['Role']['perm_site_admin'] == 1 || $chosenRole['Role']['perm_regexp_access'] == 1 || $chosenRole['Role']['perm_sync'] == 1))) {
if (
empty($chosenRole) ||
(
($chosenRole['Role']['id'] != $allowedRole) &&
($chosenRole['Role']['perm_site_admin'] == 1 ||
$chosenRole['Role']['perm_regexp_access'] == 1 ||
$chosenRole['Role']['perm_sync'] == 1) ||
$chosenRole['Role']['restricted_to_site_admin'] == 1
)
) {
throw new Exception('You are not authorised to assign that role to a user.');
}
}
Expand Down

0 comments on commit 934b9cd

Please sign in to comment.