bug #4491 [security] Missing validation for accessing User groups fea…

…ture Signed-off-by: Marc Delisle <marc@infomarc.info>
phpmyadmin · Jul 17, 2014 · 395265e · 395265e
1 parent 29a1f56
commit 395265e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -16,6 +16,7 @@ phpMyAdmin - ChangeLog
 - bug #4486 [security] XSS injection due to unescaped table comment
 - bug #4488 [security] XSS injection due to unescaped table name (triggers)
 - bug #4492 [security] XSS in AJAX confirmation messages
+- bug #4491 [security] Missing validation for accessing User groups feature
 
 4.2.5.0 (2014-06-26)
 - bug #4467 shell_exec() has been disabled for security reasons

diff --git a/server_user_groups.php b/server_user_groups.php
@@ -20,6 +20,14 @@
 $scripts  = $header->getScripts();
 $scripts->addFile('server_user_groups.js');
 
+/**
+ * Only allowed to superuser 
+ */
+if (! $GLOBALS['is_superuser']) {
+    $response->addHTML(PMA_Message::error(__('No Privileges'))->getDisplay());
+    exit;
+}
+
 $response->addHTML('<div>');
 $response->addHTML(PMA_getHtmlForSubMenusOnUsersPage('server_user_groups.php'));
 
@@ -61,4 +69,4 @@
 }
 
 $response->addHTML('</div>');
-?>
+?>