Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check value of System:Edit permission and ZM_LOG_INJECT to disable aj…
…ax log injection.
  • Loading branch information
Isaac Connor committed Oct 6, 2022
1 parent 619cf19 commit de2866f
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions web/ajax/log.php
Expand Up @@ -18,9 +18,8 @@
}
} else if ($_REQUEST['task'] == 'create' ) {
global $user;
if (!$user) {
// We allow any logged in user to create logs. This opens us up to DOS by malicious user
$message = 'Insufficient permissions to view log entries for user '.$user['Username'];
if (!$user or (!canEdit('System') and !ZM_LOG_INJECT)) {
$message = 'Insufficient permissions to create log entries for user '.$user['Username'];
} else {
createRequest();
}
Expand Down

0 comments on commit de2866f

Please sign in to comment.