Bug#520819: egroupware-calendar: XML-RPC interface posts as admin when normal user is logged in
Package: egroupware-calendar
Version: 1.4.004-2.dfsg-4.1
Severity: important
Tags: lenny, security
All,
I've been working to get the KDE PIM suite Kontact to work with eGroupWare
Calendar. I ran into some problems, where the symptom was that allthough
the data was entered into the database it didn't show up in the web
interface, nor could it be synched to other devices. My investigation of
the problem lead me to something that I feel could have important security
considerations:
I have created two users on the system, "admin", which is a fully
privileged user, and "kjetil", a normal user (the two accounts share my
name an email address though).
With the "admin" user, I enabled the XML-RPC interface to eGroupWare. I
then entered "kjetil"'s credentials in Kontact's Calendar application.
Now, it turns out that in spite of that Kontact does not have "admin"'s
credentials, eGroupWare enters the item as if it was entered by "admin".
This is made clear by this SQL query executed on my Postgresql database:
egroupware=# SELECT egw_cal.cal_id, cal_owner, cal_public, cal_status,
cal_user_id, account_lid FROM egw_cal JOIN egw_cal_user ON (egw_cal.cal_id
= egw_cal_user.cal_id) JOIN egw_accounts ON (egw_accounts.account_id =
egw_cal_user.cal_user_id);
cal_id | cal_owner | cal_public | cal_status | cal_user_id | account_lid
--------+-----------+------------+------------+-------------+-------------
1 | 6 | 1 | A | 5 | admin
2 | 6 | 1 | A | 6 | kjetil
3 | 6 | 1 | A | 5 | admin
4 | 6 | 1 | A | 5 | admin
5 | 6 | 1 | A | 5 | admin
6 | 6 | 1 | A | 6 | kjetil
Here, the two calendar items created by "kjetil" are created by either the
web interface or a Nokia phone using SyncML. The other calendar items are
entered by Kontact on a remote host. All items are entered into a calendar
owned by "kjetil".
This seems to me to be raise security concerns, it seems very odd that a
normal user should be able to enter something in the database with a higher
privileged user's name. I have not investigated further if this is a
manifestation of a larger privilege escalation problem. Nevertheless, just
creating things in another user's name is a security concern.
Furthermore, I haven't investigated if this problem is present in the
latest eGroupWare release, or only in the packages in Debian Lenny.
These packages now lags somewhat behind upstream, so I hope that Debian
maintainers can have a look at the problem.
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages egroupware-calendar depends on:
ii egroupware-core 1.4.004-2.dfsg-4.1 web-based groupware suite - core m
ii egroupware-etemplate 1.4.004-2.dfsg-4.1 web-based groupware suite - widget
ii egroupware-infolog 1.4.004-2.dfsg-4.1 web-based groupware suite - infolo
egroupware-calendar recommends no packages.
egroupware-calendar suggests no packages.
-- no debconf information
Reply to: