| Summary | [Debian Bug] Access rights not checked properly |
| Queue | Turba |
| Queue Version | 2.1.3 |
| Type | Bug |
| State | Resolved |
| Priority | 2. Medium |
| Owners | chuck (at) horde (dot) org |
| Requester | reg (at) evolix (dot) fr |
| Created | 02/05/2008 (6327 days ago) |
| Due | |
| Updated | 02/15/2008 (6317 days ago) |
| Assigned | |
| Resolved | 02/15/2008 (6317 days ago) |
| Milestone | |
| Patch | No |
Assigned to Chuck Hagenbuch
State ⇒ Resolved
details.
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ [Debian Bug] Access rights not checked properly
Queue ⇒ Turba
I'm member of pkg-horde team (two or three persons who create
packages for Debian). A Debian user, Peter Paul Elfferich, report
us a bug about checking access rights for Turba here :
http://bugs.debian.org/464058
I quote his report below:
--8<--
Access rights do not seem to be checked properly before allowing a user
to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact
list in a shared address book. Now anybody who has write access to the
shared address book can also edit this person's address data in the
user's personal addressbook.
In fact, after manually entering an object_id (which I looked up in the
database) from somebody else's address book I found I could edit this
data as well.
So it seems that when edit.php is passed an object_id, the owner_id and
the requesting user's access rights to the addressbook that the owner_id
refers to aren't checked. Apparantly knowing the object_id is enough to
be able to edit any address! I guess this is left over from the time
address books couldn't be shared yet, based on the assumption that
people wouldn't be able to guess the pseudo random 32 character id's.
--8<--
Regards,
--
Gregory Colpart <reg@evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/