Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. DAViCal>
  3. General
Security problem in 0.9.9?
MTallowitz at sysdesign-edv
May 17, 2010, 1:22 AM
Post #1 of 6 (796 views)
Permalink
Hi, i am using Davical 0.9.9

I am not sure if the following is a security problem, or if i have
configured something wrong.
Maybe, someone could test this on his own davical installation.

In the davical web-gui, when you click on a user, you can set the
privileges which are granted to all users.
I have activated "Read Free/Busy Information" and "Scheduling: Query
free/busy". And I did not set any other read or write permissions. I
just wanted to allow all users to see, when my testuser is free or busy.

But now, there is a problem:
When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
and login with any other user, i get all events of my test-user

But as i said, I did not set any other read or write permissions. And i
want to disallow the users to read the calendar of the testuser.

The problem is "solved", when i deactivate "Read Free/Busy Information"
and let "Scheduling: Query free/busy" activated at the page of my
testuser -> now, the other users no longer can see the events of my
testuser.
And the Free/Busy mechanism of Thunderbird still works :-)

Can you reproduce this security problem too?

HELPING HEADS for Hard- and Software
-------------------------------------------------------------------------
Fuer Ihre Projekte entwickeln wir massgeschneiderte Loesungen - schnell,
flexibel und direkt vor Ort. Unser eingespieltes Team an erfahrenen Hard-
und Software-Spezialisten unterstuetzt Sie dort, wo Sie uns brauchen.



--------------------------------------------------------------------------
SysDesign GmbH
Saentisstrasse 25
D-88079 Kressbronn am Bodensee

Geschaeftsfuehrer: Franz Kleiner
Handelsregister: Ulm 632138
--------------------------------------------------------------------------



_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
Security problem in 0.9.9? [ In reply to ]
andrew at morphoss
May 17, 2010, 5:19 AM
Post #2 of 6 (778 views)
Permalink
On Mon, 2010-05-17 at 10:22 +0200, Markus Tallowitz wrote:
> Hi, i am using Davical 0.9.9
>
> I am not sure if the following is a security problem, or if i have
> configured something wrong.
> Maybe, someone could test this on his own davical installation.
>
> In the davical web-gui, when you click on a user, you can set the
> privileges which are granted to all users.
> I have activated "Read Free/Busy Information" and "Scheduling: Query
> free/busy". And I did not set any other read or write permissions. I
> just wanted to allow all users to see, when my testuser is free or busy.
>
> But now, there is a problem:
> When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
> and login with any other user, i get all events of my test-user

Hi Markus,

Do you get all events, or do you get a calendar containing obfuscated
versions of all events? In this situation you should be getting
obfuscated content, so that the events are shown, but with only a
summary of 'Busy'.

Regards,
Andrew.

--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
Let me put it this way: today is going to be a learning experience.
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100518/57e59360/attachment.pgp>
-------------- next part --------------

-------------- next part --------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
Security problem in 0.9.9? [ In reply to ]
MTallowitz at sysdesign-edv
May 17, 2010, 6:09 AM
Post #3 of 6 (778 views)
Permalink
Am 17.05.2010 14:19, schrieb Andrew McMillan:
> On Mon, 2010-05-17 at 10:22 +0200, Markus Tallowitz wrote:
>
>> Hi, i am using Davical 0.9.9
>>
>> I am not sure if the following is a security problem, or if i have
>> configured something wrong.
>> Maybe, someone could test this on his own davical installation.
>>
>> In the davical web-gui, when you click on a user, you can set the
>> privileges which are granted to all users.
>> I have activated "Read Free/Busy Information" and "Scheduling: Query
>> free/busy". And I did not set any other read or write permissions. I
>> just wanted to allow all users to see, when my testuser is free or busy.
>>
>> But now, there is a problem:
>> When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
>> and login with any other user, i get all events of my test-user
>>
> Hi Markus,
>
> Do you get all events, or do you get a calendar containing obfuscated
> versions of all events? In this situation you should be getting
> obfuscated content, so that the events are shown, but with only a
> summary of 'Busy'.
>
> Regards,
> Andrew.
>
>
When "Read Free/Busy Information" is activated, i get all details
(DESCRIPTION, SUMMARY, LOCATION,...) with the right values.
The database has been upgraded from davical 0.9.7.6

Don't know the exact difference between the two same-looking Free/Busy
options...
HELPING HEADS for Hard- and Software
-------------------------------------------------------------------------
Fuer Ihre Projekte entwickeln wir massgeschneiderte Loesungen - schnell,
flexibel und direkt vor Ort. Unser eingespieltes Team an erfahrenen Hard-
und Software-Spezialisten unterstuetzt Sie dort, wo Sie uns brauchen.



--------------------------------------------------------------------------
SysDesign GmbH
Saentisstrasse 25
D-88079 Kressbronn am Bodensee

Geschaeftsfuehrer: Franz Kleiner
Handelsregister: Ulm 632138
--------------------------------------------------------------------------



_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
Security problem in 0.9.9? [ In reply to ]
davical at heldenbrau
May 28, 2010, 1:50 AM
Post #4 of 6 (777 views)
Permalink
Hi,

I just wanted to confirm this bug on a clean 0.9.9 install. I'm using ldap
for authentication...don't know if that can cause such problems

thank you for this great software

jonas

On 28.05.2010 10:00, rscds-general-request at lists.sourceforge.net wrote:

Date: Mon, 17 May 2010 15:09:27 +0200
From: Markus Tallowitz <MTallowitz@sysdesign-edv.de>
<MTallowitz at sysdesign-edv.de>
Subject: Re: [DAViCal-general] Security problem in 0.9.9?
To: rscds-general at lists.sourceforge.net
Message-ID: <4BF14007.1050405 at SysDesign-EDV.de>
<4BF14007.1050405 at SysDesign-EDV.de>
Content-Type: text/plain; charset=UTF-8; format=flowed

Am 17.05.2010 14:19, schrieb Andrew McMillan:

> On Mon, 2010-05-17 at 10:22 +0200, Markus Tallowitz wrote:
>

>> Hi, i am using Davical 0.9.9
>>
>> I am not sure if the following is a security problem, or if i have
>> configured something wrong.
>> Maybe, someone could test this on his own davical installation.
>>
>> In the davical web-gui, when you click on a user, you can set the
>> privileges which are granted to all users.
>> I have activated "Read Free/Busy Information" and "Scheduling: Query
>> free/busy". And I did not set any other read or write permissions. I
>> just wanted to allow all users to see, when my testuser is free or busy.
>>
>> But now, there is a problem:
>> When i browse with the webbrowser to: [...]*/caldav.php/*[mytestuser]/home
>> and login with any other user, i get all events of my test-user
>>

> Hi Markus,
>
> Do you get all events, or do you get a calendar containing obfuscated
> versions of all events? In this situation you should be getting
> obfuscated content, so that the events are shown, but with only a
> summary of 'Busy'.
>
> Regards,
> Andrew.
>
>

When "Read Free/Busy Information" is activated, i get all details
(DESCRIPTION, SUMMARY, LOCATION,...) with the right values.
The database has been upgraded from davical 0.9.7.6

Don't know the exact difference between the two same-looking Free/Busy
options...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100528/e72540a9/attachment-0001.htm>
-------------- next part --------------

-------------- next part --------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
Security problem in 0.9.9? [ In reply to ]
MTallowitz at sysdesign-edv
May 28, 2010, 2:01 AM
Post #5 of 6 (782 views)
Permalink
I'm using ldap too

Am 28.05.2010 10:50, schrieb Jonas Kn?ll:
> Hi,
>
> I just wanted to confirm this bug on a clean 0.9.9 install. I'm using
> ldap for authentication...don't know if that can cause such problems
>
> thank you for this great software
>
> jonas
>
> On 28.05.2010 10:00, rscds-general-request at lists.sourceforge.net
> <mailto:rscds-general-request at lists.sourceforge.net> wrote:
>> Date: Mon, 17 May 2010 15:09:27 +0200
>> From: Markus Tallowitz<MTallowitz at sysdesign-edv.de>
>> Subject: Re: [DAViCal-general] Security problem in 0.9.9?
>>
>> To:rscds-general at lists.sourceforge.net
>> Message-ID:<4BF14007.1050405 at SysDesign-EDV.de>
>>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>> Am 17.05.2010 14:19, schrieb Andrew McMillan:
>>
>>> > On Mon, 2010-05-17 at 10:22 +0200, Markus Tallowitz wrote:
>>> >
>>>
>>>> >> Hi, i am using Davical 0.9.9
>>>> >>
>>>> >> I am not sure if the following is a security problem, or if i have
>>>>
>>>> >> configured something wrong.
>>>> >> Maybe, someone could test this on his own davical installation.
>>>> >>
>>>>
>>>> >> In the davical web-gui, when you click on a user, you can set the
>>>> >> privileges which are granted to all users.
>>>> >> I have activated "Read Free/Busy Information" and "Scheduling: Query
>>>>
>>>> >> free/busy". And I did not set any other read or write permissions. I
>>>> >> just wanted to allow all users to see, when my testuser is free or busy.
>>>>
>>>> >>
>>>> >> But now, there is a problem:
>>>> >> When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
>>>>
>>>> >> and login with any other user, i get all events of my test-user
>>>> >>
>>>>
>>> > Hi Markus,
>>>
>>> >
>>> > Do you get all events, or do you get a calendar containing obfuscated
>>> > versions of all events? In this situation you should be getting
>>>
>>> > obfuscated content, so that the events are shown, but with only a
>>> > summary of 'Busy'.
>>> >
>>>
>>> > Regards,
>>> > Andrew.
>>> >
>>> >
>>>
>> When "Read Free/Busy Information" is activated, i get all details
>> (DESCRIPTION, SUMMARY, LOCATION,...) with the right values.
>> The database has been upgraded from davical 0.9.7.6
>>
>> Don't know the exact difference between the two same-looking Free/Busy
>>
>> options...
>>
>


HELPING HEADS for Hard- and Software
-------------------------------------------------------------------------
Fuer Ihre Projekte entwickeln wir massgeschneiderte Loesungen - schnell,
flexibel und direkt vor Ort. Unser eingespieltes Team an erfahrenen Hard-
und Software-Spezialisten unterstuetzt Sie dort, wo Sie uns brauchen.



--------------------------------------------------------------------------
SysDesign GmbH
Saentisstrasse 25
D-88079 Kressbronn am Bodensee

Geschaeftsfuehrer: Franz Kleiner
Handelsregister: Ulm 632138
--------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100528/8d849e12/attachment.htm>
-------------- next part --------------

-------------- next part --------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
Security problem in 0.9.9? [ In reply to ]
davical at heldenbrau
May 29, 2010, 9:48 AM
Post #6 of 6 (779 views)
Permalink
I got a working patch with just a few changes:
- I added an $any parameter to DAVResource:havePrivilegeTo to indicate
whether any or all of the privileges must be met. The calls to the function
in caldav-GET, specify any=0
- I fixed two typos obfuscated_event should be obfuscate_event

hope that helps

jonas




2010/5/28 Andrew McMillan <andrew at morphoss.com>

> On Fri, 2010-05-28 at 10:50 +0200, Jonas Kn?ll wrote:
> > Hi,
> >
> > I just wanted to confirm this bug on a clean 0.9.9 install. I'm using
> > ldap for authentication...don't know if that can cause such problems
> >
> > thank you for this great software
>
> Yep. It's not a problem related to LDAP. The error is occurring around
> line 159 of inc/caldav-GET.php and I *really* need to sit down and
> figure out exactly how that line is screwing up.
>
> It'll certainly be fixed before the next release.
>
> Cheers,
> Andrew.
> >
> > jonas
> >
> > On 28.05.2010 10:00, rscds-general-request at lists.sourceforge.net
> > wrote:
> > > Date: Mon, 17 May 2010 15:09:27 +0200
> > > From: Markus Tallowitz <MTallowitz at sysdesign-edv.de>
> > > Subject: Re: [DAViCal-general] Security problem in 0.9.9?
> > >
> > > To: rscds-general at lists.sourceforge.net
> > > Message-ID: <4BF14007.1050405 at SysDesign-EDV.de>
> > >
> > > Content-Type: text/plain; charset=UTF-8; format=flowed
> > >
> > > Am 17.05.2010 14:19, schrieb Andrew McMillan:
> > > > > On Mon, 2010-05-17 at 10:22 +0200, Markus Tallowitz wrote:
> > > > >
> > > > > >> Hi, i am using Davical 0.9.9
> > > > > >>
> > > > > >> I am not sure if the following is a security problem, or if i
> have
> > > > >
> > > > > >> configured something wrong.
> > > > > >> Maybe, someone could test this on his own davical installation.
> > > > > >>
> > > > >
> > > > > >> In the davical web-gui, when you click on a user, you can set
> the
> > > > > >> privileges which are granted to all users.
> > > > > >> I have activated "Read Free/Busy Information" and "Scheduling:
> Query
> > > > >
> > > > > >> free/busy". And I did not set any other read or write
> permissions. I
> > > > > >> just wanted to allow all users to see, when my testuser is free
> or busy.
> > > > >
> > > > > >>
> > > > > >> But now, there is a problem:
> > > > > >> When i browse with the webbrowser to:
> [...]/caldav.php/[mytestuser]/home
> > > > >
> > > > > >> and login with any other user, i get all events of my test-user
> > > > > >>
> > > > > Hi Markus,
> > > >
> > > > >
> > > > > Do you get all events, or do you get a calendar containing
> obfuscated
> > > > > versions of all events? In this situation you should be getting
> > > >
> > > > > obfuscated content, so that the events are shown, but with only a
> > > > > summary of 'Busy'.
> > > > >
> > > >
> > > > > Regards,
> > > > > Andrew.
> > > > >
> > > > >
> > > When "Read Free/Busy Information" is activated, i get all details
> > > (DESCRIPTION, SUMMARY, LOCATION,...) with the right values.
> > > The database has been upgraded from davical 0.9.7.6
> > >
> > > Don't know the exact difference between the two same-looking Free/Busy
> > >
> > > options...
> >

-------------- next part --------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal