[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#520819: egroupware-calendar: XML-RPC interface posts as admin when normal user is logged in

Package: egroupware-calendar
Version: 1.4.004-2.dfsg-4.1
Severity: important
Tags: lenny, security


I've been working to get the KDE PIM suite Kontact to work with eGroupWare 
Calendar. I ran into some problems, where the symptom was that allthough 
the data was entered into the database it didn't show up in the web 
interface, nor could it be synched to other devices. My investigation of 
the problem lead me to something that I feel could have important security 

I have created two users on the system, "admin", which is a fully 
privileged user, and "kjetil", a normal user (the two accounts share my 
name an email address though). 

With the "admin" user, I enabled the XML-RPC interface to eGroupWare. I 
then entered "kjetil"'s credentials in Kontact's Calendar application.

Now, it turns out that in spite of that Kontact does not have "admin"'s 
credentials, eGroupWare enters the item as if it was entered by "admin". 
This is made clear by this SQL query executed on my Postgresql database:

egroupware=# SELECT egw_cal.cal_id, cal_owner, cal_public, cal_status, 
cal_user_id, account_lid FROM egw_cal JOIN egw_cal_user ON (egw_cal.cal_id 
= egw_cal_user.cal_id) JOIN egw_accounts ON (egw_accounts.account_id = 
 cal_id | cal_owner | cal_public | cal_status | cal_user_id | account_lid
      1 |         6 |          1 | A          |           5 | admin
      2 |         6 |          1 | A          |           6 | kjetil
      3 |         6 |          1 | A          |           5 | admin
      4 |         6 |          1 | A          |           5 | admin
      5 |         6 |          1 | A          |           5 | admin
      6 |         6 |          1 | A          |           6 | kjetil

Here, the two calendar items created by "kjetil" are created by either the 
web interface or a Nokia phone using SyncML. The other calendar items are 
entered by Kontact on a remote host. All items are entered into a calendar 
owned by "kjetil".

This seems to me to be raise security concerns, it seems very odd that a 
normal user should be able to enter something in the database with a higher 
privileged user's name. I have not investigated further if this is a 
manifestation of a larger privilege escalation problem. Nevertheless, just 
creating things in another user's name is a security concern.

Furthermore, I haven't investigated if this problem is present in the 
latest eGroupWare release, or only in the packages in Debian Lenny. 
These packages now lags somewhat behind upstream, so I hope that Debian 
maintainers can have a look at the problem.  

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages egroupware-calendar depends on:
ii  egroupware-core       1.4.004-2.dfsg-4.1 web-based groupware suite - core m
ii  egroupware-etemplate  1.4.004-2.dfsg-4.1 web-based groupware suite - widget
ii  egroupware-infolog    1.4.004-2.dfsg-4.1 web-based groupware suite - infolo

egroupware-calendar recommends no packages.

egroupware-calendar suggests no packages.

-- no debconf information

Reply to: