[pkg-horde] Bug#464058: turba2: Access rights not checked properly
Peter Paul Elfferich
pp at dia.uva.nl
Mon Feb 4 22:23:50 UTC 2008
Package: turba2
Version: 2.1.3-1
Severity: normal
Access rights do not seem to be checked properly before allowing a user
to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact
list in a shared address book. Now anybody who has write access to the
shared address book can also edit this person's address data in the
user's personal addressbook.
In fact, after manually entering an object_id (which I looked up in the
database) from somebody else's address book I found I could edit this
data as well.
So it seems that when edit.php is passed an object_id, the owner_id and
the requesting user's access rights to the addressbook that the owner_id
refers to aren't checked. Apparantly knowing the object_id is enough to
be able to edit any address! I guess this is left over from the time
address books couldn't be shared yet, based on the assumption that
people wouldn't be able to guess the pseudo random 32 character id's.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
More information about the pkg-horde-hackers
mailing list