Tickets :: Comment on [#671] Privacy error with private sql address books

* Your Email Address
* Spam protection	Enter the letters below: . \ /.__ . ..__ \| >< [ __\|_/ \| \ \|___/ \[_./\| \\|__/
Comment	> There seems to be a privacy/security error with private sql address books: > > When adding an entry (calling addobjectaction.php) user can define the > > owner_id database column -> user can add an entry in anybody's > > private sql address book. > > > > I've a private address book configured like this: > > 'title' => 'My Addressbook', > > 'type' => 'sql', > > 'params' => array( > > 'phptype' => 'mysql', > > 'hostspec' => 'localhost', // username, db, password removed > > 'table' => 'turba_objects' > > ), > > /* missing options straight from sources.php.dist */ > > 'public' => false, > > 'readonly' => false, > > 'admin' => array(), > > 'export' => true > > ); > > > > In the "Add" form there's a hidden field: > > <input type="hidden" name="object[__owner]" > value="invaliduser@not.my.domain"/> > > > > If the user set's the object[__owner] value he/she can add an entry to > > anybody's address book. > > > > AFAIK the problem is that addobjectaction.php doesn't check that the > > form value is the same as Auth::getAuth() (or that Auth::getAuth() belongs > > to the 'admin' => array()) ??? > > > > (also after reading thru deleteobject.php it seems that when removing > > entries the only check is that object_id matches the 'key' form data, > > I think the code should check that Auth::getAuth matches owner_id or > > is in the admin array). > > > > -Jarno
Attachment
Watch this ticket

Saved Queries