Fix SMods escalation attack (#1627)

Kevin Gross · web-flow · commit 1c253bc50948 · 2020-08-25T12:23:21.000+01:00
* Security Fix: SMods can perform escalation attack

Fixes a vulnerability where a supermoderator can delete a admin account an re-register it, gaining admin access in a server

* Addendum to previous commit

* Remove SMod ability to chgpass

Remove supermoderators ability to change an admin password
diff --git a/Server/mods/deathmatch/acl.xml b/Server/mods/deathmatch/acl.xml
@@ -177,10 +177,7 @@
       <right name="command.unloadmodule" access="true" />
       <right name="command.reloadmodule" access="true" />
       <right name="command.addaccount" access="true" />
-      <right name="command.delaccount" access="true" />
-      <right name="command.chgpass" access="true" />
       <right name="function.addAccount" access="true" />
-      <right name="function.removeAccount" access="true" />
       <right name="function.setAccountName" access="true" />
       <right name="function.setAccountPassword" access="true" />
    </acl>
@@ -199,6 +196,8 @@
       <right name="command.authserial" access="true" />
       <right name="command.reloadacl" access="true" />
       <right name="command.stopall" access="true" />
+      <right name="command.delaccount" access="true" />
+      <right name="command.chgpass" access="true" />
       <right name="function.addBan" access="true" />
       <right name="function.setUnbanTime" access="true" />
       <right name="function.setBanAdmin" access="true" />
@@ -233,6 +232,7 @@
       <right name="function.updateResourceACLRequest" access="true" />
       <right name="function.shutdown" access="true" />
       <right name="function.setPlayerScriptDebugLevel" access="true" />
+      <right name="function.removeAccount" access="true" />
    </acl>
    <acl name="RPC">
       <right name="function.callRemote" access="true" />
