Your message dated Sat, 12 Apr 2008 17:54:59 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#464058: fixed in turba2 2.0.2-1sarge1
has caused the Debian Bug report #464058,
regarding turba2: Access rights not checked properly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
464058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: turba2
Version: 2.1.3-1
Severity: normal
Access rights do not seem to be checked properly before allowing a user
to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact
list in a shared address book. Now anybody who has write access to the
shared address book can also edit this person's address data in the
user's personal addressbook.
In fact, after manually entering an object_id (which I looked up in the
database) from somebody else's address book I found I could edit this
data as well.
So it seems that when edit.php is passed an object_id, the owner_id and
the requesting user's access rights to the addressbook that the owner_id
refers to aren't checked. Apparantly knowing the object_id is enough to
be able to edit any address! I guess this is left over from the time
address books couldn't be shared yet, based on the assumption that
people wouldn't be able to guess the pseudo random 32 character id's.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
--- End Message ---
--- Begin Message ---
Source: turba2
Source-Version: 2.0.2-1sarge1
We believe that the bug you reported is fixed in the latest version of
turba2, which is due to be installed in the Debian FTP archive:
turba2_2.0.2-1sarge1.diff.gz
to pool/main/t/turba2/turba2_2.0.2-1sarge1.diff.gz
turba2_2.0.2-1sarge1.dsc
to pool/main/t/turba2/turba2_2.0.2-1sarge1.dsc
turba2_2.0.2-1sarge1_all.deb
to pool/main/t/turba2/turba2_2.0.2-1sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gregory Colpart (evolix) <[EMAIL PROTECTED]> (supplier of updated turba2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 02:17:37 +0100
Source: turba2
Binary: turba2
Architecture: source all
Version: 2.0.2-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Ola Lundqvist <[EMAIL PROTECTED]>
Changed-By: Gregory Colpart (evolix) <[EMAIL PROTECTED]>
Description:
turba2 - contact management component for horde framework
Closes: 464058
Changes:
turba2 (2.0.2-1sarge1) oldstable-security; urgency=high
.
* Fix unchecked access to contacts in the same SQL table, if the unique key
of another user's contact can be guessed. See CVE-2008-0807 for more
informations. (Closes: #464058)
* Fix privilege escalation in Horde API.
* Close several XSS vulnerabilities with address book and contact data.
Files:
78ef803c5a5c3c0564ddd8b23a96da4d 626 web optional turba2_2.0.2-1sarge1.dsc
43381a9620d08ad17758fc533e865db3 1221378 web optional turba2_2.0.2.orig.tar.gz
8ccfd8d4f1886141a916d706217d8a73 8049 web optional turba2_2.0.2-1sarge1.diff.gz
ee4a5791cb7b942305f9095b9b3ae697 1282950 web optional
turba2_2.0.2-1sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvd+9wM/Gs81MDZ0RAqHaAKC7uu/8TNn6rBQDFeccDMhHAsjFZACggpZE
GxcN9VEj5Cuf6oRyGAjg6JE=
=Wd+H
-----END PGP SIGNATURE-----
--- End Message ---
