Mon, 06 Apr 2026 21:50:02 +0000 https://bugs.horde.org/ticket/671 Privacy error with private sql address books There seems to be a privacy/security error with private sql address books: When adding an entry (calling addobjectaction.php) user can define the owner_id database column -> user can add an entry in anybody's private sql address book. I've a private address book configured like this: 'title' => 'My Addressbook', 'type' => 'sql', 'params' => array( 'phptype' => 'mysql', 'hostspec' => 'localhost', // username, db, password removed 'table' => 'turba_objects' ), /* missing options straight from sources.php.dist */ 'public' => false, 'readonly' => false, 'admin' => array(), 'export' => true ); In the "Add" form there's a hidden field: <input type="hidden" name="object[__owner]" value="invaliduser@not.my.domain"/> If the user set's the object[__owner] value he/she can add an entry to anybody's address book. AFAIK the problem is that addobjectaction.php doesn't check that the form value is the same as Auth::getAuth() (or that Auth::getAuth() belongs to the 'admin' => array()) ??? (also after reading thru deleteobject.php it seems that when removing entries the only check is that object_id matches the 'key' form data, I think the code should check that Auth::getAuth matches owner_id or is in the admin array). -Jarno Thu, 07 Oct 2004 10:21:38 +0000 https://bugs.horde.org/ticket/671#t2443 Should all now be fixed in CVS, thanks for the report. So it'll be in any future versions of Turba 1.2 and definitely in Turba 2.0. Sun, 10 Oct 2004 04:12:38 +0000 https://bugs.horde.org/ticket/671#t2481