6.0.0-git
2020-11-24

[#6208] [Debian Bug] Access rights not checked properly
Summary [Debian Bug] Access rights not checked properly
Queue Turba
Queue Version 2.1.3
Type Bug
State Resolved
Priority 2. Medium
Owners chuck (at) horde (dot) org
Requester reg (at) evolix (dot) fr
Created 2008-02-05 (4676 days ago)
Due
Updated 2008-02-15 (4666 days ago)
Assigned
Resolved 2008-02-15 (4666 days ago)
Milestone
Patch No

History
2008-02-15 06:01:12 Chuck Hagenbuch Comment #2
Assigned to Chuck Hagenbuch
State ⇒ Resolved
Reply to this comment
This issue has been resolved. Please see the Debian bug for all of the 
details.
2008-02-05 02:07:35 reg (at) evolix (dot) fr Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ [Debian Bug] Access rights not checked properly
Queue ⇒ Turba
Reply to this comment
Hello,



I'm member of pkg-horde team (two or three persons who create

packages for Debian). A Debian user, Peter Paul Elfferich, report

us a bug about checking access rights for Turba here : 
http://bugs.debian.org/464058

I quote his report below:



--8<--

Access rights do not seem to be checked properly before allowing a user

to edit address data as illustrated in the following example:



A user adds an address from his or her personal addressbook to a contact

list in a shared address book. Now anybody who has write access to the

shared address book can also edit this person's address data in the

user's personal addressbook.



In fact, after manually entering an object_id (which I looked up in the

database) from somebody else's address book I found I could edit this

data as well.



So it seems that when edit.php is passed an object_id, the owner_id and

the requesting user's access rights to the addressbook that the owner_id

refers to aren't checked. Apparantly knowing the object_id is enough to

be able to edit any address! I guess this is left over from the time

address books couldn't be shared yet, based on the assumption that

people wouldn't be able to guess the pseudo random 32 character id's.

--8<--



Regards,

--

Gregory Colpart <reg@evolix.fr>  GnuPG:1024D/C1027A0E

Evolix - Informatique et Logiciels Libres http://www.evolix.fr/


Saved Queries