Package: egroupware-calendar Version: 1.4.004-2.dfsg-4.1 Severity: important Tags: lenny, security
All, I've been working to get the KDE PIM suite Kontact to work with eGroupWare Calendar. I ran into some problems, where the symptom was that allthough the data was entered into the database it didn't show up in the web interface, nor could it be synched to other devices. My investigation of the problem lead me to something that I feel could have important security considerations: I have created two users on the system, "admin", which is a fully privileged user, and "kjetil", a normal user (the two accounts share my name an email address though). With the "admin" user, I enabled the XML-RPC interface to eGroupWare. I then entered "kjetil"'s credentials in Kontact's Calendar application. Now, it turns out that in spite of that Kontact does not have "admin"'s credentials, eGroupWare enters the item as if it was entered by "admin". This is made clear by this SQL query executed on my Postgresql database: egroupware=# SELECT egw_cal.cal_id, cal_owner, cal_public, cal_status, cal_user_id, account_lid FROM egw_cal JOIN egw_cal_user ON (egw_cal.cal_id = egw_cal_user.cal_id) JOIN egw_accounts ON (egw_accounts.account_id = egw_cal_user.cal_user_id); cal_id | cal_owner | cal_public | cal_status | cal_user_id | account_lid --------+-----------+------------+------------+-------------+------------- 1 | 6 | 1 | A | 5 | admin 2 | 6 | 1 | A | 6 | kjetil 3 | 6 | 1 | A | 5 | admin 4 | 6 | 1 | A | 5 | admin 5 | 6 | 1 | A | 5 | admin 6 | 6 | 1 | A | 6 | kjetil Here, the two calendar items created by "kjetil" are created by either the web interface or a Nokia phone using SyncML. The other calendar items are entered by Kontact on a remote host. All items are entered into a calendar owned by "kjetil". This seems to me to be raise security concerns, it seems very odd that a normal user should be able to enter something in the database with a higher privileged user's name. I have not investigated further if this is a manifestation of a larger privilege escalation problem. Nevertheless, just creating things in another user's name is a security concern. Furthermore, I haven't investigated if this problem is present in the latest eGroupWare release, or only in the packages in Debian Lenny. These packages now lags somewhat behind upstream, so I hope that Debian maintainers can have a look at the problem. -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages egroupware-calendar depends on: ii egroupware-core 1.4.004-2.dfsg-4.1 web-based groupware suite - core m ii egroupware-etemplate 1.4.004-2.dfsg-4.1 web-based groupware suite - widget ii egroupware-infolog 1.4.004-2.dfsg-4.1 web-based groupware suite - infolo egroupware-calendar recommends no packages. egroupware-calendar suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org