security issue with ModeratorModule

Igor Khomenko
Added about 3 years ago

Hi there,

we found a case where a user with none affiliation can change room's occupants

there is a method processSet

let's say the following method returned null:

final String nickName = room.getOccupantsNickname(senderJid);

and the following returned Affiliation.none:

final Affiliation senderAffiliation = room.getAffiliation(senderJid.getBareJID());

then, inside checkItem method we go inside this 'if':

 } else if ((newRole == null) && (newAffiliation != null)) {

and no one 'if' check will catch us because

occupantAffiliation.getWeight() == senderaAffiliation.getWeight()

The solution could be the same you have inside processGet method:

boolean allowed = false;
allowed = allowed || senderAffiliation == Affiliation.admin;
allowed = allowed || senderAffiliation == Affiliation.owner;
allowed = allowed || (room.getConfig().getRoomAnonymity() == Anonymity.nonanonymous && senderRole.isPresentInRoom());

if (!allowed){
    throw new MUCException(Authorization.FORBIDDEN);

Replies (1)


Added by Bartosz Małkowski TigaseTeam about 3 years ago

I just added Can you illustrate this problem as test case, please?