[Tickets #6208] [Debian Bug] Access rights not checked properly

bugs at horde.org bugs at horde.org
Tue Feb 5 02:07:35 UTC 2008


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=6208
-----------------------------------------------------------------------
 Ticket             | 6208
 Created By         | reg at evolix.fr
 Summary            | [Debian Bug] Access rights not checked properly
 Queue              | Turba
 Version            | 2.1.3
 Type               | Bug
 State              | Unconfirmed
 Priority           | 2. Medium
 Milestone          | 
 Patch              | 
 Owners             | 
-----------------------------------------------------------------------


reg at evolix.fr (2008-02-04 21:07) wrote:

Hello,

I'm member of pkg-horde team (two or three persons who create
packages for Debian). A Debian user, Peter Paul Elfferich, report
us a bug about checking access rights for Turba here :
http://bugs.debian.org/464058
I quote his report below:

--8<--
Access rights do not seem to be checked properly before allowing a user 
to edit address data as illustrated in the following example:

A user adds an address from his or her personal addressbook to a contact 
list in a shared address book. Now anybody who has write access to the 
shared address book can also edit this person's address data in the 
user's personal addressbook.

In fact, after manually entering an object_id (which I looked up in the 
database) from somebody else's address book I found I could edit this 
data as well.

So it seems that when edit.php is passed an object_id, the owner_id and 
the requesting user's access rights to the addressbook that the owner_id 
refers to aren't checked. Apparantly knowing the object_id is enough to 
be able to edit any address! I guess this is left over from the time 
address books couldn't be shared yet, based on the assumption that 
people wouldn't be able to guess the pseudo random 32 character id's.
--8<--

Regards,
--
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/




More information about the bugs mailing list