diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2015-02-24 19:45:03 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2015-02-24 19:45:03 +0100 |
| commit | 9cbf80e627322dee19852b953ef242b4e0ad514a (patch) | |
| tree | 093edc200919a41fac4fb2d10f86a9d4bbe3cebc /lib/plugins/acl | |
| parent | 809448f525b31b791cfbb57255354c14c6a009a2 (diff) | |
| download | rpg-9cbf80e627322dee19852b953ef242b4e0ad514a.tar.gz rpg-9cbf80e627322dee19852b953ef242b4e0ad514a.tar.bz2 | |
check permissions in ACL plugin's RPC API component. #1056
Security Fix
Severity: Medium
Type: Remote Priviledge Escalation
Remote: yes
Vulnerability Details:
This fixes a security hole in the ACL plugins remote API component. The
plugin failed to check for superuser permissions before executing ACL
addition or deletion. This means everybody with permissions to call the
XMLRPC API also had permissions to set up their own ACL rules and thus
circumventing any existing rules.
Risk Assessment:
The XMLRPC API in DokuWiki is marked experimental and off by default. It
also implements an additional safeguard by giving access to a configured
circle of users and groups only. So only a minor number of DokuWiki
installations will be affected at all.
For affected installations the risk is high if users with access to the
API are not to be trusted.
Thus the overall severity of medium.
Resolution:
Installations applying this commit are safe. A hotfix is about to be
released. Meanwhile users are advised to disable the XMLRPC API in the
config manager.
Diffstat (limited to 'lib/plugins/acl')
| -rw-r--r-- | lib/plugins/acl/remote.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index b10c544ee..42449428f 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -32,9 +32,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * @param string $scope * @param string $user * @param int $level see also inc/auth.php + * @throws RemoteAccessDeniedException * @return bool */ public function addAcl($scope, $user, $level){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_add($scope, $user, $level); @@ -45,9 +50,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * * @param string $scope * @param string $user + * @throws RemoteAccessDeniedException * @return bool */ public function delAcl($scope, $user){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_del($scope, $user); |