Fix multiple privilege escalation vulnerabilities (thanks to X Chen for advice)

2025-02-12 02:21:09 +03:00 · 2013-12-22 04:08:47 +04:00 · 2013-12-22 04:08:47 +04:00 · 01dba643ba
commit 01dba643ba
parent f9fd80423f
19 changed files with 44 additions and 6 deletions
--- a/src/mibew/libs/operator.php
+++ b/src/mibew/libs/operator.php
@ -24,8 +24,6 @@ $can_modifyprofile = 3;
 $can_count = 4;
 $can_viewnotifications = 5;
 $permission_ids = array(
 	$can_administrate => "admin",
 	$can_takeover => "takeover",
@ -239,6 +237,21 @@ function check_login($redirect = true)
 	return $_SESSION["${mysqlprefix}operator"];
 }
 function check_permissions()
 {
 	$check = false;
 	if (func_num_args() > 1) {
 	    $args = func_get_args();
 	    $operator = array_shift($args);
 	    foreach ($args as $permission) {
 		$check = $check || is_capable($permission, $operator);
 	    }
 	}
 	if (!$check) {
 	    die("Permission denied.");
 	}
 }
 function get_logged_in()
 {
 	global $mysqlprefix;
--- a/src/mibew/operator/avatar.php
+++ b/src/mibew/operator/avatar.php
@ -26,6 +26,10 @@ $opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'avatar' => '');
 $errors = array();
 if ($opId && ($opId != $operator['operatorid'])) {
 	check_permissions($operator, $can_administrate);
 }
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);
--- a/src/mibew/operator/features.php
+++ b/src/mibew/operator/features.php
@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 $page = array('agentId' => '');
 $errors = array();
--- a/src/mibew/operator/getcode.php
+++ b/src/mibew/operator/getcode.php
@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 require_once('../libs/getcode.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate);
 loadsettings();
 $imageLocales = get_image_locales_map("../locales");
--- a/src/mibew/operator/gettextcode.php
+++ b/src/mibew/operator/gettextcode.php
@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 require_once('../libs/getcode.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate);
 loadsettings();
 $stylelist = get_style_list("../styles");
--- a/src/mibew/operator/group.php
+++ b/src/mibew/operator/group.php
@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 $page = array('grid' => '');
 $errors = array();
--- a/src/mibew/operator/groupmembers.php
+++ b/src/mibew/operator/groupmembers.php
@ -21,6 +21,7 @@ require_once('../libs/groups.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 function get_group_members($groupid)
 {
--- a/src/mibew/operator/groups.php
+++ b/src/mibew/operator/groups.php
@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
--- a/src/mibew/operator/notification.php
+++ b/src/mibew/operator/notification.php
@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/chat.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate, $can_viewnotifications);
 $page = array();
--- a/src/mibew/operator/notifications.php
+++ b/src/mibew/operator/notifications.php
@ -21,14 +21,11 @@ require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate, $can_viewnotifications);
 $page = array();
 $errors = array();
 if (!is_capable($can_administrate, $operator) && !is_capable($can_viewnotifications, $operator)) {
 	die("Permission denied.");
 }
 setlocale(LC_TIME, getstring("time.locale"));
 # locales
--- a/src/mibew/operator/operator.php
+++ b/src/mibew/operator/operator.php
@ -131,6 +131,9 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 if (!$opId && !is_capable($can_administrate, $operator)) {
 	$errors[] = "You are not allowed to create operators";
 }
 elseif ($opId && ($opId != $operator['operatorid'])) {
 	check_permissions($operator, $can_administrate);
 }
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);
--- a/src/mibew/operator/operators.php
+++ b/src/mibew/operator/operators.php
@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
 	$operatorid = isset($_GET['id']) ? $_GET['id'] : "";
--- a/src/mibew/operator/opgroups.php
+++ b/src/mibew/operator/opgroups.php
@ -41,6 +41,10 @@ $page['groups'] = get_all_groups($link);
 mysql_close($link);
 $errors = array();
 if ($opId && ($opId != $operator['operatorid'])) {
 	check_permissions($operator, $can_administrate);
 }
 $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator))
 			 || is_capable($can_administrate, $operator);
--- a/src/mibew/operator/performance.php
+++ b/src/mibew/operator/performance.php
@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 $page = array('agentId' => '');
 $errors = array();
--- a/src/mibew/operator/permissions.php
+++ b/src/mibew/operator/permissions.php
@ -35,6 +35,10 @@ $opId = verifyparam("op", "/^\d{1,10}$/");
 $page = array('opid' => $opId, 'canmodify' => is_capable($can_administrate, $operator) ? "1" : "");
 $errors = array();
 if ($opId && ($opId != $operator['operatorid'])) {
 	check_permissions($operator, $can_administrate);
 }
 $op = operator_by_id($opId);
 if (!$op) {
--- a/src/mibew/operator/settings.php
+++ b/src/mibew/operator/settings.php
@ -21,6 +21,7 @@ require_once('../libs/settings.php');
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 $page = array('agentId' => '');
 $errors = array();
--- a/src/mibew/operator/themes.php
+++ b/src/mibew/operator/themes.php
@ -24,6 +24,7 @@ require_once('../libs/expand.php');
 require_once('../libs/settings.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate);
 $stylelist = array();
 $stylesfolder = "../styles";
--- a/src/mibew/operator/translate.php
+++ b/src/mibew/operator/translate.php
@ -119,6 +119,7 @@ function get_auxiliary($s)
 $operator = check_login();
 csrfchecktoken();
 check_permissions($operator, $can_administrate);
 $source = verifyparam("source", "/^[\w-]{2,5}$/", $default_locale);
 $target = verifyparam("target", "/^[\w-]{2,5}$/", $current_locale);
--- a/src/mibew/operator/updates.php
+++ b/src/mibew/operator/updates.php
@ -20,6 +20,7 @@ require_once('../libs/operator.php');
 require_once('../libs/settings.php');
 $operator = check_login();
 check_permissions($operator, $can_administrate);
 $default_extensions = array('mysql', 'gd', 'iconv');