Package: roundup Version: 1.2.1-5+etch2 Severity: grave Tags: security Justification: user security hole
Hi, Daniel Diniz discovered that EditCSVAction does not include appropriate permission checks allowing any user to edit any item in a class she has create / edit privileges for. This includes, amongst others, modifying content of existing messages or issues, changing user settings or adding roles to existing users which allows to gain admin privileges The attack may be done using specially crafted but simple URLs. I'm not adding an example since I'm not sure this should be made public yet. I will provide examples to the package maintainer and the security team on request though. See upstream issue 2550521 [1] for more details and the original report by Daniel - that issue mentions editing saved queries only though as the real impact of the bug was not known at that time. Afaik, there is no CVE for this issue yet. Cheers, Sebastian [1] http://issues.roundup-tracker.org/issue2550521 -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
