[pkg-horde] Bug#464058: turba2: Access rights not checked properly

Peter Paul Elfferich pp at dia.uva.nl
Mon Feb 4 22:23:50 UTC 2008

Package: turba2
Version: 2.1.3-1
Severity: normal

Access rights do not seem to be checked properly before allowing a user 
to edit address data as illustrated in the following example:

A user adds an address from his or her personal addressbook to a contact 
list in a shared address book. Now anybody who has write access to the 
shared address book can also edit this person's address data in the 
user's personal addressbook.

In fact, after manually entering an object_id (which I looked up in the 
database) from somebody else's address book I found I could edit this 
data as well.

So it seems that when edit.php is passed an object_id, the owner_id and 
the requesting user's access rights to the addressbook that the owner_id 
refers to aren't checked. Apparantly knowing the object_id is enough to 
be able to edit any address! I guess this is left over from the time 
address books couldn't be shared yet, based on the assumption that 
people wouldn't be able to guess the pseudo random 32 character id's.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

More information about the pkg-horde-hackers mailing list