Ramon de C Valle <rcvalle> reports: There is a improper privilege management vulnerability in the update_roles method of the UsersController controller. The update_roles method updates the roles of an specified user without checking the privileges for the user performing the action. 254 def update_roles 255 params[:user] = { "role_ids" => [] } unless params.has_key? :user 256 257 #Add in the own role if updating roles, cause the user shouldn't see his own r ole 258 params[:user][:role_ids] << @user.own_role.id 259 260 if @user.update_attributes(params[:user]) 261 notify.success _("User updated successfully.") 262 263 if not search_validate(User, @user.id, params[:search], :username) 264 notify.message _("'%s' no longer matches the current search criteria.") % @user.username 265 end 266 267 render :nothing => true and return 268 end 269 notify.invalid_record @user 270 render :text => @user.errors, :status => :ok 271 end Any user can arbitrarily update any attributes of any user (including itself) by sending a specially-crafted POST request.
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
This issue is public now.