Skip to content
Permalink
Browse files

fix: [vulnerability] Fixes a vulnerability where a user can view sigh…

…tings that they should not be eligible for

- requires access to the event that has received the sighting
- affects instances with restrictive sighting settings (event only / sighting reported only)

- as reported by Tyler McLellan of CanCyber.org
  • Loading branch information...
iglocska committed Feb 28, 2019
1 parent f13b664 commit c69969329d197bcdd04832b03310fa73f4eb7155
Showing with 55 additions and 5 deletions.
  1. +55 −5 app/Controller/SightingsController.php
@@ -341,22 +341,72 @@ public function listSightings($id, $context = 'attribute', $org_id = false)
'contain' => array('Organisation.name'),
'order' => array('Sighting.date_sighting DESC')
));
if (!empty($sightings) && empty(Configure::read('Plugin.Sightings_policy')) && !$this->_isSiteAdmin()) {
$eventOwnerOrgIdList = array();
foreach ($sightings as $k => $sighting) {
if (empty($eventOwnerOrgIdList[$sighting['Sighting']['event_id']])) {
$temp_event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => array('Event.id' => $sighting['Sighting']['event_id']),
'fields' => array('Event.id', 'Event.orgc_id')
));
$eventOwnerOrgIdList[$temp_event['Event']['id']] = $temp_event['Event']['orgc_id'];
}
if (empty($eventOwnerOrgIdList[$sighting['Sighting']['event_id']]) || $eventOwnerOrgIdList[$sighting['Sighting']['event_id']] !== $this->Auth->user('org_id')) {
unset($sightings[$k]);
}
}
$sightings = array_values($sightings);
} else if (!empty($sightings) && Configure::read('Plugin.Sightings_policy') == 1 && !$this->_isSiteAdmin()) {
$eventsWithOwnSightings = array();
foreach ($sightings as $k => $sighting) {
if (empty($eventsWithOwnSightings[$sighting['Sighting']['event_id']])) {
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = false;
$sighting_temp = $this->Sighting->find('first', array(
'recursive' => -1,
'conditions' => array(
'Sighting.event_id' => $sighting['Sighting']['event_id'],
'Sighting.org_id' => $this->Auth->user('org_id')
)
));
if (empty($sighting_temp)) {
$temp_event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => array(
'Event.id' => $sighting['Sighting']['event_id'],
'Event.orgc_id' => $this->Auth->user('org_id')
),
'fields' => array('Event.id', 'Event.orgc_id')
));
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = !empty($temp_event);
} else {
$eventsWithOwnSightings[$sighting['Sighting']['event_id']] = true;
}
}
if (!$eventsWithOwnSightings[$sighting['Sighting']['event_id']]) {
unset($sightings[$k]);
}
}
$sightings = array_values($sightings);
}
$this->set('org_id', $org_id);
$this->set('rawId', $rawId);
$this->set('context', $context);
$this->set('types', array('Sighting', 'False-positive', 'Expiration'));
if (Configure::read('Plugin.Sightings_anonymise') && !$this->_isSiteAdmin()) {
foreach ($sightings as $k => $v) {
if ($v['Sighting']['org_id'] != $this->Auth->user('org_id')) {
$sightings[$k]['Organisation']['name'] = '';
$sightings[$k]['Sighting']['org_id'] = 0;
if (!empty($sightings)) {
foreach ($sightings as $k => $v) {
if ($v['Sighting']['org_id'] != $this->Auth->user('org_id')) {
$sightings[$k]['Organisation']['name'] = '';
$sightings[$k]['Sighting']['org_id'] = 0;
}
}
}
}
if ($this->_isRest()) {
return $this->RestResponse->viewData($sightings, $this->response->type());
}
$this->set('sightings', $sightings);
$this->set('sightings', empty($sightings) ? array() : $sightings);
$this->layout = false;
$this->render('ajax/list_sightings');
}

0 comments on commit c699693

Please sign in to comment.
You can’t perform that action at this time.