Fix a privilege escalation bug in webadmin if auth modules are used

auth modules = imapauth and saslauth

Some code in CWebAdminSock::OnLogin() is skipped if a module handles auth
and thus m_pUser stays NULL. Most checks for admin rights only check for
m_pUser being NULL and thus any user WHO ALREADY HAS A VALID LOGIN can edit
other users if they know their user name.
(=Change the password of an admin and log in using this info)

One of the major excpeptions are the templates which use m_bAdmin instead of
m_pUser for checking the privieleges, thus users still see the normal pages
and this bug stayed unnoticed for a while.

This patch now moves the code that sets m_pUser to some code which is executed
in both cases, when an auth module is in effect and when one isn't.
(Well, technically this isn't a move, but code duplication, but executing this
 twice won't hurt and one of the follow-up patches cleans this up.)

git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1113 726aef4b-f618-498e-8847-2d620e286838

diff --git a/modules/webadmin.cpp b/modules/webadmin.cpp
index ca3691ac3052d97addcf9ae79b1eb66ddd49bf18..92ec0764dd5c6bdad02260f1c4251be16ca24272 100644 (file)
--- a/modules/webadmin.cpp
+++ b/modules/webadmin.cpp
@@ -80,8 +80,17 @@ public:
        }
 
        // Setters
-       void SetSessionUser(CUser* p) { m_pSessionUser = p; m_bAdmin = p->IsAdmin(); }
-       void SetAdmin(bool b) { m_bAdmin = b; }
+       void SetSessionUser(CUser* p) {
+               m_pSessionUser = p;
+               m_bAdmin = p->IsAdmin();
+
+               // If m_pUser is not NULL, only that user can be edited.
+               if (m_bAdmin) {
+                       m_pUser = NULL;
+               } else {
+                       m_pUser = m_pSessionUser;
+               }
+       }
        // !Setters
 
        virtual Csock* GetSockObj(const CString& sHost, unsigned short uPort);