Don't allow users to change their user name through spoofed webadmin requests

Since adding and editing users is handled pretty much the same way in webadmin, you could change your user name when you sent a POST requests with some arbitrary user field: echo "user=newuser&submitted=1" | \ lynx -post_data -auth=user:pass http://localhost:55455/edituser This was spotted by SilverLeo who seems to spend quite some time trying to make ZNC break, which is a good thing. Thanks! Oh and btw, the last commit (delete the pid file) is from SilverLeo. I forgot to mention him in the commit msg. Sorry. git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@949 726aef4b-f618-498e-8847-2d620e286838
2026-05-04 20:42:33 +02:00 · 2008-02-10 10:18:54 +00:00
parent 9a1c3874bc
commit bcb0306393
1 changed files with 9 additions and 2 deletions
--- a/modules/webadmin.cpp
+++ b/modules/webadmin.cpp
@@ -962,6 +962,8 @@ bool CWebAdminSock::UserPage(CString& sPageRet, CUser* pUser) {
 		return true;
 	}

+	/* If pUser is NULL, we are adding a user, else we are editing this one */
+
 	CString sUsername = GetParam("user");
 	if (!pUser && CZNC::Get().FindUser(sUsername)) {
 		GetErrorPage(sPageRet, "Invalid Submission [User " + sUsername + " already exists]");
@@ -1023,6 +1025,13 @@ CUser* CWebAdminSock::GetNewUser(CString& sPageRet, CUser* pUser) {
 		return NULL;
 	}

+	if (pUser) {
+		/* If we are editing a user we must not change the user name */
+		sUsername = pUser->GetUserName();
+	}
+
+	CUser* pNewUser = new CUser(sUsername);
+
 	CString sArg = GetParam("password");

 	if (sArg != GetParam("password2")) {
@@ -1030,8 +1039,6 @@ CUser* CWebAdminSock::GetNewUser(CString& sPageRet, CUser* pUser) {
 		return NULL;
 	}

-	CUser* pNewUser = new CUser(sUsername);
-
 	if (!sArg.empty()) {
 		pNewUser->SetPass(sArg.MD5(), true);
 	}