Fix multiple privilege escalation vulnerabilities (thanks to X Chen for advice)

src/mibew/libs/operator.php

@@ -24,8 +24,6 @@ $can_modifyprofile = 3;
 $can_count = 4;
 $can_viewnotifications = 5;
 
-
-
 $permission_ids = array(
 	$can_administrate => "admin",
 	$can_takeover => "takeover",
@@ -239,6 +237,21 @@ function check_login($redirect = true)
 	return $_SESSION["${mysqlprefix}operator"];
 }
 
+function check_permissions()
+{
+	$check = false;
+	if (func_num_args() > 1) {
+	    $args = func_get_args();
+	    $operator = array_shift($args);
+	    foreach ($args as $permission) {
+		$check = $check || is_capable($permission, $operator);
+	    }
+	}
+	if (!$check) {
+	    die("Permission denied.");
+	}
+}
+
 function get_logged_in()
 {
 	global $mysqlprefix;

src/mibew/operator/avatar.php

@@ -26,6 +26,10 @@ $opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'avatar' => '');
 $errors = array();
 
+if ($opId && ($opId != $operator['operatorid'])) {
+	check_permissions($operator, $can_administrate);
+}
+
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);
 

src/mibew/operator/features.php

@@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 $page = array('agentId' => '');
 $errors = array();

src/mibew/operator/getcode.php

@@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 require_once('../libs/getcode.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate);
 loadsettings();
 
 $imageLocales = get_image_locales_map("../locales");

src/mibew/operator/gettextcode.php

@@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 require_once('../libs/getcode.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate);
 loadsettings();
 
 $stylelist = get_style_list("../styles");

src/mibew/operator/group.php

@@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 $page = array('grid' => '');
 $errors = array();

src/mibew/operator/groupmembers.php

@@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 function get_group_members($groupid)
 {

src/mibew/operator/groups.php

@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
 

src/mibew/operator/notification.php

@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/chat.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate, $can_viewnotifications);
 
 $page = array();
 

src/mibew/operator/notifications.php

@@ -21,14 +21,11 @@ require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate, $can_viewnotifications);
 
 $page = array();
 $errors = array();
 
-if (!is_capable($can_administrate, $operator) && !is_capable($can_viewnotifications, $operator)) {
-	die("Permission denied.");
-}
-
 setlocale(LC_TIME, getstring("time.locale"));
 
 # locales

src/mibew/operator/operator.php

@@ -131,6 +131,9 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 if (!$opId && !is_capable($can_administrate, $operator)) {
 	$errors[] = "You are not allowed to create operators";
 }
+elseif ($opId && ($opId != $operator['operatorid'])) {
+	check_permissions($operator, $can_administrate);
+}
 
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);

src/mibew/operator/operators.php

@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
 	$operatorid = isset($_GET['id']) ? $_GET['id'] : "";

src/mibew/operator/opgroups.php

@@ -41,6 +41,10 @@ $page['groups'] = get_all_groups($link);
 mysql_close($link);
 $errors = array();
 
+if ($opId && ($opId != $operator['operatorid'])) {
+	check_permissions($operator, $can_administrate);
+}
+
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);
 

src/mibew/operator/performance.php

@@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 $page = array('agentId' => '');
 $errors = array();

src/mibew/operator/permissions.php

@@ -35,6 +35,10 @@ $opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'canmodify' => is_capable($can_administrate, $operator) ? "1" : "");
 $errors = array();
 
+if ($opId && ($opId != $operator['operatorid'])) {
+	check_permissions($operator, $can_administrate);
+}
+
 $op = operator_by_id($opId);
 
 if (!$op) {

src/mibew/operator/settings.php

@@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 $page = array('agentId' => '');
 $errors = array();

src/mibew/operator/themes.php

@@ -24,6 +24,7 @@ require_once('../libs/expand.php');
 require_once('../libs/settings.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate);
 
 $stylelist = array();
 $stylesfolder = "../styles";

src/mibew/operator/translate.php

@@ -119,6 +119,7 @@ function get_auxiliary($s)
 
 $operator = check_login();
 csrfchecktoken();
+check_permissions($operator, $can_administrate);
 
 $source = verifyparam("source", "/^[\w-]{2,5}$/", $default_locale);
 $target = verifyparam("target", "/^[\w-]{2,5}$/", $current_locale);

src/mibew/operator/updates.php

@@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/settings.php');
 
 $operator = check_login();
+check_permissions($operator, $can_administrate);
 
 $default_extensions = array('mysql', 'gd', 'iconv');