Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential privilege escalation in getUser function #69

Open
jhvh1 opened this issue Aug 11, 2016 · 1 comment
Open

Potential privilege escalation in getUser function #69

jhvh1 opened this issue Aug 11, 2016 · 1 comment

Comments

@jhvh1
Copy link

jhvh1 commented Aug 11, 2016

public function getUser($input, $fetchOptions = array())

Assume there is a privileged account with an Id of 1750. Next assume that an account is created with the username "1750". When getUser is called with $input = "1750", the function will return a User object associated with the privileged account with the Id of 1750 instead of the unprivileged account with a username of "1750". This happens because the value of $input passes the test for 'is_numeric' and is therefore used to lookup the user by the Id, instead of by the (user)name.
@bato3
Copy link

bato3 commented Sep 29, 2016
edited
Loading

This problem is not to solve the automatic detection of the field. Imagine the reverse situation.
Only a solution that is blocking the registration of user names consisting only of numbers.

For edits you can set custom_field_identifier to user_id or name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bato3 @jhvh1