From bcb03063935c3a8dde6a2e5789911f1c251b7407 Mon Sep 17 00:00:00 2001 From: psychon Date: Sun, 10 Feb 2008 10:18:54 +0000 Subject: [PATCH] Don't allow users to change their user name through spoofed webadmin requests Since adding and editing users is handled pretty much the same way in webadmin, you could change your user name when you sent a POST requests with some arbitrary user field: echo "user=newuser&submitted=1" | \ lynx -post_data -auth=user:pass http://localhost:55455/edituser This was spotted by SilverLeo who seems to spend quite some time trying to make ZNC break, which is a good thing. Thanks! Oh and btw, the last commit (delete the pid file) is from SilverLeo. I forgot to mention him in the commit msg. Sorry. git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@949 726aef4b-f618-498e-8847-2d620e286838 --- modules/webadmin.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/modules/webadmin.cpp b/modules/webadmin.cpp index af1e86d9..b5de9343 100644 --- a/modules/webadmin.cpp +++ b/modules/webadmin.cpp @@ -962,6 +962,8 @@ bool CWebAdminSock::UserPage(CString& sPageRet, CUser* pUser) { return true; } + /* If pUser is NULL, we are adding a user, else we are editing this one */ + CString sUsername = GetParam("user"); if (!pUser && CZNC::Get().FindUser(sUsername)) { GetErrorPage(sPageRet, "Invalid Submission [User " + sUsername + " already exists]"); @@ -1023,6 +1025,13 @@ CUser* CWebAdminSock::GetNewUser(CString& sPageRet, CUser* pUser) { return NULL; } + if (pUser) { + /* If we are editing a user we must not change the user name */ + sUsername = pUser->GetUserName(); + } + + CUser* pNewUser = new CUser(sUsername); + CString sArg = GetParam("password"); if (sArg != GetParam("password2")) { @@ -1030,8 +1039,6 @@ CUser* CWebAdminSock::GetNewUser(CString& sPageRet, CUser* pUser) { return NULL; } - CUser* pNewUser = new CUser(sUsername); - if (!sArg.empty()) { pNewUser->SetPass(sArg.MD5(), true); }