[Tickets #6208] [Debian Bug] Access rights not checked properly
bugs at horde.org
bugs at horde.org
Tue Feb 5 02:07:35 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=6208
-----------------------------------------------------------------------
Ticket | 6208
Created By | reg at evolix.fr
Summary | [Debian Bug] Access rights not checked properly
Queue | Turba
Version | 2.1.3
Type | Bug
State | Unconfirmed
Priority | 2. Medium
Milestone |
Patch |
Owners |
-----------------------------------------------------------------------
reg at evolix.fr (2008-02-04 21:07) wrote:
Hello,
I'm member of pkg-horde team (two or three persons who create
packages for Debian). A Debian user, Peter Paul Elfferich, report
us a bug about checking access rights for Turba here :
http://bugs.debian.org/464058
I quote his report below:
--8<--
Access rights do not seem to be checked properly before allowing a user
to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact
list in a shared address book. Now anybody who has write access to the
shared address book can also edit this person's address data in the
user's personal addressbook.
In fact, after manually entering an object_id (which I looked up in the
database) from somebody else's address book I found I could edit this
data as well.
So it seems that when edit.php is passed an object_id, the owner_id and
the requesting user's access rights to the addressbook that the owner_id
refers to aren't checked. Apparantly knowing the object_id is enough to
be able to edit any address! I guess this is left over from the time
address books couldn't be shared yet, based on the assumption that
people wouldn't be able to guess the pseudo random 32 character id's.
--8<--
Regards,
--
Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
More information about the bugs
mailing list