bug #4491 [security] Missing validation for accessing User groups fea…

…ture Signed-off-by: Marc Delisle <marc@infomarc.info>
phpmyadmin · Jul 15, 2014 · 45550b8 · 45550b8
1 parent d143c54
commit 45550b8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.1.14.2 (not yet released)
+- bug #4491 [security] Missing validation for accessing User groups feature
+
 4.1.14.1 (2014-06-21)
 - bug #4464 [security] XSS injection due to unescaped db/table name in navigation hiding
 

diff --git a/server_user_groups.php b/server_user_groups.php
@@ -20,6 +20,14 @@
 $scripts  = $header->getScripts();
 $scripts->addFile('server_user_groups.js');
 
+/**
+ * Only allowed to superuser 
+ */
+if (! $GLOBALS['is_superuser']) {
+    $response->addHTML(PMA_Message::error(__('No Privileges'))->getDisplay());
+    exit;
+}
+
 $response->addHTML('<div>');
 $response->addHTML(PMA_getHtmlForSubMenusOnUsersPage('server_user_groups.php'));
 
@@ -61,4 +69,4 @@
 }
 
 $response->addHTML('</div>');
-?>
+?>