Permalink
Browse files

oops: Prevent Account Takeover

This addresses an issue where someone can “takeover” an account with only
a User’s email and a User’s previous ticket number. Once they get access
to a User’s ticket they can go to the Ticket Owner’s profile and change
the email to whatever they’d like. This adds a check on the profile to see
if the User is a Guest User. If they are a Guest then it kicks them back
to the ticket view. If they are the actual User it will let them view the
profile.
  • Loading branch information...
JediKev committed Feb 12, 2018
1 parent c4669d7 commit be0133b0d420dc955287c867627677dc826dc4eb
Showing with 6 additions and 0 deletions.
  1. +6 −0 profile.php
View
@@ -19,6 +19,12 @@
require 'secure.inc.php';
require_once 'class.user.php';
// Check if User is Guest. If so, redirect them back to ticket page to
// prevent Account Takeover.
if ($thisclient->isGuest())
Http::redirect('tickets.php');
$user = User::lookup($thisclient->getId());
if ($user && $_POST) {

0 comments on commit be0133b

Please sign in to comment.