Project

General

Profile

security issue with ModeratorModule

Igor Khomenko
Added about 3 years ago

Hi there,

we found a case where a user with none affiliation can change room's occupants

there is a method processSet https://projects.tigase.org/projects/tigase-muc/repository/revisions/master/entry/src/main/java/tigase/muc/modules/ModeratorModule.java#L383

let's say the following method returned null:

final String nickName = room.getOccupantsNickname(senderJid);

and the following returned Affiliation.none:

final Affiliation senderAffiliation = room.getAffiliation(senderJid.getBareJID());

then, inside checkItem method we go inside this 'if':

 } else if ((newRole == null) && (newAffiliation != null)) {

and no one 'if' check will catch us because

occupantAffiliation.getWeight() == senderaAffiliation.getWeight()

The solution could be the same you have inside processGet method:

boolean allowed = false;
allowed = allowed || senderAffiliation == Affiliation.admin;
allowed = allowed || senderAffiliation == Affiliation.owner;
allowed = allowed || (room.getConfig().getRoomAnonymity() == Anonymity.nonanonymous && senderRole.isPresentInRoom());

if (!allowed){
    throw new MUCException(Authorization.FORBIDDEN);
}

Replies (1)

(1)
Avatar?id=6098&size=32x32

Added by Bartosz Małkowski TigaseTeam about 3 years ago

I just added @ModeratorModuleTest.java@. Can you illustrate this problem as test case, please?

    (1-1/1)