Fix users vulnerabilities

2022-03-03 16:35:31 +01:00 · 2022-03-03 16:35:31 +01:00 · 036e2e3d6c
parent a4d7653cf9
commit 036e2e3d6c
2 changed files with 512 additions and 470 deletions
--- a/pandora_console/godmode/users/configure_user.php
+++ b/pandora_console/godmode/users/configure_user.php
@ -324,6 +324,16 @@ if ($create_user) {

    $user_is_admin = (int) get_parameter('is_admin', 0);

+    if (users_is_admin() === false && $user_is_admin !== 0) {
+        db_pandora_audit(
+            AUDIT_LOG_ACL_VIOLATION,
+            'Trying to create with administrator privileges to user by non administrator user '.$config['id_user'],
+        );
+
+        include 'general/noaccess.php';
+        exit;
+    }
+
    $values = [];
    $values['id_user'] = (string) get_parameter('id_user');
    $values['fullname'] = (string) get_parameter('fullname');
@ -538,6 +548,16 @@ if ($update_user) {
    $values['default_event_filter'] = (int) get_parameter('default_event_filter');
    $values['default_custom_view'] = (int) get_parameter('default_custom_view');

+    if (users_is_admin() === false && (bool) $values['is_admin'] !== false) {
+        db_pandora_audit(
+            AUDIT_LOG_ACL_VIOLATION,
+            'Trying to add administrator privileges to user by non administrator user '.$config['id_user'],
+        );
+
+        include 'general/noaccess.php';
+        exit;
+    }
+
    // eHorus user level conf.
    $values['ehorus_user_level_enabled'] = (bool) get_parameter('ehorus_user_level_enabled', false);
    $values['ehorus_user_level_user'] = (string) get_parameter('ehorus_user_level_user');
--- a/pandora_console/godmode/users/user_list.php
+++ b/pandora_console/godmode/users/user_list.php
@ -260,9 +260,21 @@ if (is_metaconsole() === true) {


 $disable_user = get_parameter('disable_user', false);
-if ((bool) get_parameter('user_del', false) === true) {
+$delete_user = (bool) get_parameter('user_del', false);
+
+if ($delete_user === true) {
    // Delete user.
    $id_user = get_parameter('delete_user', 0);
+    if (users_is_admin($id_user) === true && users_is_admin() === false) {
+        db_pandora_audit(
+            AUDIT_LOG_ACL_VIOLATION,
+            'Trying to delete admininstrator user by non administrator user '.$config['id_user'],
+        );
+
+        include 'general/noaccess.php';
+        exit;
+    }
+
    // Only allow delete user if is not the actual user.
    if ($id_user != $config['id_user']) {
        $user_row = users_get_user_by_id($id_user);
@ -332,6 +344,16 @@ if ((bool) get_parameter('user_del', false) === true) {
    // Disable_user.
    $id_user = get_parameter('id', 0);

+    if (users_is_admin($id_user) === true && users_is_admin() === false) {
+        db_pandora_audit(
+            AUDIT_LOG_ACL_VIOLATION,
+            'Trying to disable admininstrator user by non administrator user '.$config['id_user'],
+        );
+
+        include 'general/noaccess.php';
+        exit;
+    }
+
    if ($id_user !== 0) {
        $result = users_disable($id_user, $disable_user);
    } else {