[Tickets #671] NEW: Privacy error with private sql address books
bugs at bugs.horde.org
bugs at bugs.horde.org
Thu Oct 7 03:21:39 PDT 2004
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=671
-----------------------------------------------------------------------
Ticket | 671
Created By | jhuuskon at iki.fi
Summary | Privacy error with private sql address books
Queue | Turba
Version | 1.2.2
State | Unconfirmed
Priority | 2. Medium
Type | Bug
Owners |
-----------------------------------------------------------------------
jhuuskon at iki.fi (2004-10-07 03:21) wrote:
There seems to be a privacy/security error with private sql address books:
When adding an entry (calling addobjectaction.php) user can define the
owner_id database column -> user can add an entry in anybody's
private sql address book.
I've a private address book configured like this:
'title' => 'My Addressbook',
'type' => 'sql',
'params' => array(
'phptype' => 'mysql',
'hostspec' => 'localhost', // username, db, password removed
'table' => 'turba_objects'
),
/* missing options straight from sources.php.dist */
'public' => false,
'readonly' => false,
'admin' => array(),
'export' => true
);
In the "Add" form there's a hidden field:
<input type="hidden" name="object[__owner]"
value="invaliduser at not.my.domain"/>
If the user set's the object[__owner] value he/she can add an entry to
anybody's address book.
AFAIK the problem is that addobjectaction.php doesn't check that the
form value is the same as Auth::getAuth() (or that Auth::getAuth() belongs
to the 'admin' => array()) ???
(also after reading thru deleteobject.php it seems that when removing
entries the only check is that object_id matches the 'key' form data,
I think the code should check that Auth::getAuth matches owner_id or
is in the admin array).
-Jarno
More information about the bugs
mailing list