There is a Cross Site Request Forgery vulnerability in the account setting page. This vulnerability can be used to take over a user's account! I found this in Elgg 0.9.2, but there's no option below to make the version 0.9.2. Please let me know if I should submit more details on how this can be done.
The patch uses elggform_key_get and elggform_key_check to prevent CSRF, functions that seem to have been designed to prevent CSRF in the first place. The patch essentially uses elggform_key_get to generate a key, which is inserted into a hidden input field in the form and also into the user's session. Then elggform_key_check is used to check the submitted key against the key in the session variable.
Note that this patch has not completely patched the user details page. It just protects against the most serious parts, like CSRF against passwords and e-mail. The problem is that the various php files in $functionuserdetails:init? array handles processing of options the plugins individually insert into user details page. There are two options I can think of:
- Make every plugin writer check for the form_key or
- Have a place where the form_key is checked before any plugin is called to process the input from user details page.
The second option sounds better, but I do not know how to do the later yet.
