6.0.0-beta1
7/11/25

[#671] Privacy error with private sql address books
Summary Privacy error with private sql address books
Queue Turba
Queue Version 1.2.2
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester jhuuskon (at) iki (dot) fi
Created 10/07/2004 (7582 days ago)
Due
Updated 10/10/2004 (7579 days ago)
Assigned 10/08/2004 (7581 days ago)
Resolved 10/10/2004 (7579 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
10/10/2004 04:12:38 AM Chuck Hagenbuch Comment #2
State ⇒ Resolved
Reply to this comment
Should all now be fixed in CVS, thanks for the report. So it'll be in 
any future versions of Turba 1.2 and definitely in Turba 2.0.
10/08/2004 04:10:05 AM Chuck Hagenbuch Assigned to Chuck Hagenbuch
State ⇒ Assigned
 
10/07/2004 10:21:38 AM jhuuskon (at) iki (dot) fi Comment #1
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ Privacy error with private sql address books
Queue ⇒ Turba
Reply to this comment
There seems to be a privacy/security error with private sql address books:

When adding an entry (calling addobjectaction.php) user can define the

owner_id database column -> user can add an entry in anybody's

private sql address book.



I've a private address book configured like this:

   'title' => 'My Addressbook',

     'type' => 'sql',

     'params' => array(

         'phptype' => 'mysql',

         'hostspec' => 'localhost', // username, db, password removed

         'table' => 'turba_objects'

     ),

      /* missing options straight from sources.php.dist */

     'public' => false,

     'readonly' => false,

     'admin' => array(),

     'export' => true

);



In the "Add" form there's a hidden field:

<input type="hidden" name="object[__owner]" 
value="invaliduser@not.my.domain"/>



If the user set's the object[__owner] value he/she can add an entry to

anybody's address book.



AFAIK the problem is that addobjectaction.php doesn't check that the

form value is the same as Auth::getAuth() (or that Auth::getAuth() belongs

to the 'admin' => array()) ???



(also after reading thru deleteobject.php it seems that when removing

entries the only check is that object_id matches the 'key' form data,

I think the code should check that Auth::getAuth matches owner_id or

is in the admin array).



-Jarno

Saved Queries