Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed a Cross-Site Request Forgery exploit that would allow logged-in…
… BigTree admins hitting a malicious page to automatically create / update users.
  • Loading branch information
timbuckingham committed Jul 17, 2013
1 parent 4630c90 commit 4b0faa9
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 22 deletions.
28 changes: 19 additions & 9 deletions core/admin/modules/users/create.php
@@ -1,13 +1,23 @@
<?
$admin->requireLevel(1);
$id = $admin->createUser($_POST);
if ($_SERVER["HTTP_REFERER"] != ADMIN_ROOT."users/add/") {
?>
<div class="container">
<section>
<p>To create a user, please access the <a href="<?=ADMIN_ROOT?>users/add/">Add User</a> page.</p>
</section>
</div>
<?
} else {
$admin->requireLevel(1);
$id = $admin->createUser($_POST);

if (!$id) {
$_SESSION["bigtree_admin"]["create_user"] = $_POST;
$admin->growl("Users","Creation Failed","error");
BigTree::redirect(ADMIN_ROOT."users/add/");
}

if (!$id) {
$_SESSION["bigtree_admin"]["create_user"] = $_POST;
$admin->growl("Users","Creation Failed","error");
BigTree::redirect(ADMIN_ROOT."users/add/");
$admin->growl("Users","Added User");
BigTree::redirect(ADMIN_ROOT."users/edit/$id/");
}

$admin->growl("Users","Added User");
BigTree::redirect(ADMIN_ROOT."users/edit/$id/");
?>
36 changes: 23 additions & 13 deletions core/admin/modules/users/update.php
@@ -1,16 +1,26 @@
<?
$perms = json_decode($_POST["permissions"],true);
$_POST["permissions"] = array("page" => $perms["Page"],"module" => $perms["Module"],"resources" => $perms["Resource"],"module_gbp" => $perms["ModuleGBP"]);
$_POST["alerts"] = json_decode($_POST["alerts"],true);
$success = $admin->updateUser($_POST["id"],$_POST);

if (!$success) {
$_SESSION["bigtree_admin"]["update_user"] = $_POST;
$admin->growl("Users","Update Failed","error");
BigTree::redirect(ADMIN_ROOT."users/edit/".end($bigtree["path"])."/");
if ($_SERVER["HTTP_REFERER"] != ADMIN_ROOT."users/edit/".$_POST["id"]."/") {
?>
<div class="container">
<section>
<p>To update a user, please access the <a href="<?=ADMIN_ROOT?>users/edit/<?=$_POST["id"]?>/">Edit User</a> page.</p>
</section>
</div>
<?
} else {
$perms = json_decode($_POST["permissions"],true);
$_POST["permissions"] = array("page" => $perms["Page"],"module" => $perms["Module"],"resources" => $perms["Resource"],"module_gbp" => $perms["ModuleGBP"]);
$_POST["alerts"] = json_decode($_POST["alerts"],true);
$success = $admin->updateUser($_POST["id"],$_POST);

if (!$success) {
$_SESSION["bigtree_admin"]["update_user"] = $_POST;
$admin->growl("Users","Update Failed","error");
BigTree::redirect(ADMIN_ROOT."users/edit/".end($bigtree["path"])."/");
}

$admin->growl("Users","Updated User");

BigTree::redirect(ADMIN_ROOT."users/");
}

$admin->growl("Users","Updated User");

BigTree::redirect(ADMIN_ROOT."users/");
?>

0 comments on commit 4b0faa9

Please sign in to comment.