From be0133b0d420dc955287c867627677dc826dc4eb Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Mon, 12 Feb 2018 16:18:36 -0600
Subject: [PATCH] oops: Prevent Account Takeover
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This addresses an issue where someone can “takeover” an account with only
a User’s email and a User’s previous ticket number. Once they get access
to a User’s ticket they can go to the Ticket Owner’s profile and change
the email to whatever they’d like. This adds a check on the profile to see
if the User is a Guest User. If they are a Guest then it kicks them back
to the ticket view. If they are the actual User it will let them view the
profile.
---
 profile.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/profile.php b/profile.php
index 47c100aef..db501ced3 100644
--- a/profile.php
+++ b/profile.php
@@ -19,6 +19,12 @@
 require 'secure.inc.php';
 
 require_once 'class.user.php';
+
+// Check if User is Guest. If so, redirect them back to ticket page to
+// prevent Account Takeover.
+if ($thisclient->isGuest())
+    Http::redirect('tickets.php');
+
 $user = User::lookup($thisclient->getId());
 
 if ($user && $_POST) {
-- 
GitLab