[bugs] [Bug 1225] New - xml rpc is insecure (only currently noted
in Kronolith)
bugs at bugs.horde.org
bugs at bugs.horde.org
Sat Apr 19 18:09:12 PDT 2003
http://bugs.horde.org/show_bug.cgi?id=1225
*** shadow/1225 Sat Apr 19 17:09:12 2003
--- shadow/1225.tmp.23535 Sat Apr 19 17:09:12 2003
***************
*** 0 ****
--- 1,32 ----
+ Bug#: 1225
+ Product: Horde
+ Version: other
+ Platform: PHP Code
+ OS/Version: Linux
+ Status: NEW
+ Resolution:
+ Severity: major
+ Priority: P1
+ Component: Core
+ Area: BUILD
+ AssignedTo: chuck at horde.org
+ ReportedBy: matthew at sackman.co.uk
+ URL:
+ Summary: xml rpc is insecure (only currently noted in Kronolith)
+
+ Using basic HTTP auth it is possible to use the xml rpc layer to extract data
+ (for example from Kronolith's calendars) from other people's calendars *despite*
+ specifically marking those calendars as private.
+
+ It would seem that when listing events, the access rights to each calendar name
+ supplied in the request are not checked, thus allowing any user to manipulate
+ all calendars in the system.
+
+ This is using CVS HEAD of Kronolith, Horde and Turba as of 11pm 18th April BST.
+
+ Thanks,
+
+ Matthew
+ --
+ Matthew Sackman
+
More information about the bugs
mailing list