#291 User without write security changing addressbook

v2.13
closed
None
5
2012-09-17
2005-08-17
Anonymous
No

I've been having issues with a pontental security hole
with GO community 2.13. This installaiton is running on
a Dell PowerEdge with SUSE Linux Enterprise Server 9 on
x86 arcitecture.

I've created a "Global Address Book" (GAB) as admin.
This group is read to everyone, write only to the admin
user and admin group. If I login as a regular joe user,
and subscribe to this addressbook, I can modify it in
the following ways even though I do not (as far as I
can tell) have write permission to the book.

  Move a contact from the GAB to a private addressbook
  Move a company from the GAB to a private addressbook
  Create a contact from a member into the GAB

I believe this to be a security bug.

Thain Eischeid Thain.Eischeid@mosaicinfo.org

Discussion