Skip to content

Commit 92d11a0

Browse files
committed
Validate confirm hash when updating account
This prevents an attacker from resetting another user's password if they have an incomplete account validation or password reset request pending. Fixes #34433, CVE-2024-xxxxx
1 parent 0a50562 commit 92d11a0

File tree

2 files changed

+20
-8
lines changed

2 files changed

+20
-8
lines changed

Diff for: account_update.php

+19-8
Original file line numberDiff line numberDiff line change
@@ -60,19 +60,30 @@
6060

6161
form_security_validate( 'account_update' );
6262

63-
# If token is set, it's a password reset request from verify.php, and if
64-
# not we need to reauthenticate the user
65-
$t_verify_user_id = gpc_get( 'verify_user_id', false );
66-
$t_account_verification = $t_verify_user_id ? token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) : false;
67-
if( !$t_account_verification ) {
68-
auth_reauthenticate();
69-
$t_user_id = auth_get_current_user_id();
70-
} else {
63+
$t_verify_user_id = gpc_get_int( 'verify_user_id', 0 );
64+
$t_account_verification = (bool)$t_verify_user_id;
65+
if( $t_account_verification ) {
66+
# Password reset request from verify.php - validate the confirmation hash
67+
$f_confirm_hash = gpc_get_string( 'confirm_hash' );
68+
$t_token_confirm_hash = token_get_value( TOKEN_ACCOUNT_ACTIVATION, $t_verify_user_id );
69+
if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
70+
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
71+
}
72+
73+
# Make sure the token is not expired
74+
if( null === token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) ) {
75+
trigger_error( ERROR_SESSION_NOT_VALID, ERROR );
76+
}
77+
7178
# set a temporary cookie so the login information is passed between pages.
7279
auth_set_cookies( $t_verify_user_id );
7380
# fake login so the user can set their password
7481
auth_attempt_script_login( user_get_username( $t_verify_user_id ) );
7582
$t_user_id = $t_verify_user_id;
83+
} else {
84+
# Normal account update - authenticate the user
85+
auth_reauthenticate();
86+
$t_user_id = auth_get_current_user_id();
7687
}
7788

7889
auth_ensure_user_authenticated();

Diff for: verify.php

+1
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,7 @@
131131
<legend><span><?php echo lang_get( 'edit_account_title' ) . ' - ' . string_display_line( $u_username ) ?></span></legend>
132132
<div class="space-10"></div>
133133
<input type="hidden" name="verify_user_id" value="<?php echo $u_id ?>">
134+
<input type="hidden" name="confirm_hash" value="<?php echo string_html_specialchars( $f_confirm_hash ) ?>">
134135
<?php
135136
echo form_security_field( 'account_update' );
136137
# When verifying account, set a token and don't display current password

0 commit comments

Comments
 (0)