Anyone can view/remove from any group
Brought to you by:
supercobra
Menu
▾
▴
Group
Searches
Help
#83 Anyone can view/remove from any group
www_show_group_members does not check if the user
looking at the page is the owner of the group. It also
doesn't verify the user is the owner when it deletes so
any user can delete any user from any group by simply
going up through the group ids.
To delete a user go to your Manage Groups and edit the
URL to:
grp_id=<group id you don't own>
remove=Remove
remove_uidXXXX=1
Hit enter and the use is removed even though you don't
have access to the group.
The easiest fix is to verify ownership before doing
anything in the subroutine:
sub www_show_group_members {
my $self = shift;
$self->debug_msg(3,
"Portal::www_show_group_members()");
my $grp_id = $FORM{'grp_id'};
unless(ref($USER))
{
warn("USER is not set up");
&printError("USER is not set up");
exit (0);
}
unless(sqlSelect("group_name", "grp",
"grp_id=" . $dbh->quote($grp_id) .
" and uid=" . $dbh->quote($USER->uid)))
{
warn("UNAUTHORIZED ACCESS attempt to group id " . $grp_id .
" by " . $USER->email);
$self->print_click_back ("You are not the owner of this
group!");
exit (0);
}
. . .
Later
Paul