[SS-2016-011] ChangePasswordForm does not check $member->canLogin before login

This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
This commit is contained in:
Daniel Hensby 2016-07-14 17:03:52 +01:00 committed by Damian Mooyman
parent dc47f7ec9a
commit 2b30ade44d

View File

@ -98,16 +98,19 @@ class ChangePasswordForm extends Form {
else if($data['NewPassword1'] == $data['NewPassword2']) { else if($data['NewPassword1'] == $data['NewPassword2']) {
$isValid = $member->changePassword($data['NewPassword1']); $isValid = $member->changePassword($data['NewPassword1']);
if($isValid->valid()) { if($isValid->valid()) {
$member->logIn();
// TODO Add confirmation message to login redirect
Session::clear('AutoLoginHash');
// Clear locked out status // Clear locked out status
$member->LockedOutUntil = null; $member->LockedOutUntil = null;
$member->FailedLoginCount = null; $member->FailedLoginCount = null;
$member->write(); $member->write();
if ($member->canLogIn()->valid()) {
$member->logIn();
}
// TODO Add confirmation message to login redirect
Session::clear('AutoLoginHash');
if (!empty($_REQUEST['BackURL']) if (!empty($_REQUEST['BackURL'])
// absolute redirection URLs may cause spoofing // absolute redirection URLs may cause spoofing
&& Director::is_site_url($_REQUEST['BackURL']) && Director::is_site_url($_REQUEST['BackURL'])