Arbitrary user impersonation vulnerability

[Topsec-bunney]

In the article comments，We can impersonate any user to comment，You can even impersonate a system administrator

[mark0263]

Thanks for the report. This seems pretty straight forward to fix, there is an existing UniqueName call that will query the user table to determine if a username already exists, if it does, it will add a random 4 digit number to the end of the username. So in your example, Admin would become Admin6823.

Does the community feel this is an appropriate method to prevent the impersonation?

[Topsec-bunney]

Yes, the method you said can solve this problem

[leegarner]

I'd go a step further and restrict some names. This could even be a global configuration array, like $_CONF['disallowed_names'] = array('admin', 'root', 'supervisor', 'manager', 'service',); ... and admins could add any other names that might be used to spoof some authoritative user. The same list could be used to restrict the login names chosen during signup (now I'm thinking something like this might be in place already...). Root users could still create special accounts with these names if desired. Only user-entered names, e.g. by Anonymous, would be checked against the list. Obviously the actual logged-in user "Admin" could post. We couldn't catch everything, the username is a free text field so "System Admin" could get through. Displaying (Anonymous) next to the user-entered name on anon posts could mitigate that also.

…

On Wed, Dec 8, 2021 at 5:48 AM Topsec_bunney ***@***.***> wrote: Yes, the method you said can solve this problem — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#482 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOJJIPE2ATWISSCOH33UP5O3DANCNFSM5JTFKF5Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.