This is NOT as security problem!
The calendar items are all created in the calendar of the user who's
credentials you used ("kjetil"). That's recognisable in the cal_owner
column which is 6 for all entries. If you look at the second row, you
can see, that 6 is the account_id of kjetil.
Some of the items do now show up in kjetil's calendar, because they have
"admin" as only participant of the event. That's caused by the fact,
that admin and kjetil share the same email address, which is used by
external clients to identify the user.
So I recommend to close this bug report as invalid.
Anyway the xmlrpc interface is outdated in eGroupware and switched off
by default. I recommend to use the new GroupDAV interface.
Ralf
Kjetil Kjernsmo schrieb:
> Package: egroupware-calendar
> Version: 1.4.004-2.dfsg-4.1
> Severity: important
> Tags: lenny, security
>
> All,
>
> I've been working to get the KDE PIM suite Kontact to work with eGroupWare
> Calendar. I ran into some problems, where the symptom was that allthough
> the data was entered into the database it didn't show up in the web
> interface, nor could it be synched to other devices. My investigation of
> the problem lead me to something that I feel could have important security
> considerations:
>
> I have created two users on the system, "admin", which is a fully
> privileged user, and "kjetil", a normal user (the two accounts share my
> name an email address though).
>
> With the "admin" user, I enabled the XML-RPC interface to eGroupWare. I
> then entered "kjetil"'s credentials in Kontact's Calendar application.
>
> Now, it turns out that in spite of that Kontact does not have "admin"'s
> credentials, eGroupWare enters the item as if it was entered by "admin".
> This is made clear by this SQL query executed on my Postgresql database:
>
> egroupware=# SELECT egw_cal.cal_id, cal_owner, cal_public, cal_status,
> cal_user_id, account_lid FROM egw_cal JOIN egw_cal_user ON (egw_cal.cal_id
> = egw_cal_user.cal_id) JOIN egw_accounts ON (egw_accounts.account_id =
> egw_cal_user.cal_user_id);
> cal_id | cal_owner | cal_public | cal_status | cal_user_id | account_lid
> --------+-----------+------------+------------+-------------+-------------
> 1 | 6 | 1 | A | 5 | admin
> 2 | 6 | 1 | A | 6 | kjetil
> 3 | 6 | 1 | A | 5 | admin
> 4 | 6 | 1 | A | 5 | admin
> 5 | 6 | 1 | A | 5 | admin
> 6 | 6 | 1 | A | 6 | kjetil
>
> Here, the two calendar items created by "kjetil" are created by either the
> web interface or a Nokia phone using SyncML. The other calendar items are
> entered by Kontact on a remote host. All items are entered into a calendar
> owned by "kjetil".
>
> This seems to me to be raise security concerns, it seems very odd that a
> normal user should be able to enter something in the database with a higher
> privileged user's name. I have not investigated further if this is a
> manifestation of a larger privilege escalation problem. Nevertheless, just
> creating things in another user's name is a security concern.
>
> Furthermore, I haven't investigated if this problem is present in the
> latest eGroupWare release, or only in the packages in Debian Lenny.
> These packages now lags somewhat behind upstream, so I hope that Debian
> maintainers can have a look at the problem.
>
> -- System Information:
> Debian Release: 5.0
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages egroupware-calendar depends on:
> ii egroupware-core 1.4.004-2.dfsg-4.1 web-based groupware suite - core
> m
> ii egroupware-etemplate 1.4.004-2.dfsg-4.1 web-based groupware suite -
> widget
> ii egroupware-infolog 1.4.004-2.dfsg-4.1 web-based groupware suite -
> infolo
>
> egroupware-calendar recommends no packages.
>
> egroupware-calendar suggests no packages.
>
> -- no debconf information
>
>
>
--
Ralf Becker
Director Software Development
Stylite GmbH
[open style of IT]
Morschheimer Strasse 15
67292 Kirchheimbolanden
fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: r...@stylite.de
www.stylite.de
www.egroupware.org
________________________________________________
Geschäftsführer Andre Keller, Nigel John Vickers,
Gudrun K. Müller und Ralf Becker
Registergericht Kaiserslautern HRB 12087
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
