[SS-2016-011] ChangePasswordForm does not check $member->canLogin bef…

…ore login This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
silverstripe · Aug 15, 2016 · 6d41db7 · 6d41db7
1 parent f85dea2
commit 6d41db7
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/security/ChangePasswordForm.php b/security/ChangePasswordForm.php
@@ -98,16 +98,19 @@ public function doChangePassword(array $data) {
 		else if($data['NewPassword1'] == $data['NewPassword2']) {
 			$isValid = $member->changePassword($data['NewPassword1']);
 			if($isValid->valid()) {
-				$member->logIn();
-
-				// TODO Add confirmation message to login redirect
-				Session::clear('AutoLoginHash');
 
 				// Clear locked out status
 				$member->LockedOutUntil = null;
 				$member->FailedLoginCount = null;
 				$member->write();
-
+
+				if ($member->canLogIn()->valid()) {
+					$member->logIn();
+				}
+
+				// TODO Add confirmation message to login redirect
+				Session::clear('AutoLoginHash');
+
 				if (!empty($_REQUEST['BackURL'])
 					// absolute redirection URLs may cause spoofing 
 					&& Director::is_site_url($_REQUEST['BackURL'])