[PhpHelpdesk-devel] Potentially Serious Security Issue: Departmental Views

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

My understanding is that theoretically, users defined to only have access
to a given subset of depts/comps should only see information for those
companies.

We are using PHPHD in this way to allow our clients access to PHPHD records
that relate to their companies, but at the same time want to make sure that
not only can they not see substantial information about other companies,
but that they in fact do not even see what other companies are defined in
the helpdesk.

Earlier today I found that at least one of the reports (the closed report)
does not check which companies the user is defined as having access to, and
both gives the user the full list of companies from which to choose in the
report setup and also reports on that list.

This, in my mind, is a serious problem.

I've just CVS committed some changes (to reports/closed.scp.php and
scripts/generatereport.scp.php) that fix this problem.  At the same time, I
was annoyed that regardless of the g_dept_or_comp setting, the report still
says "All Departments," so I internationalized that and checked for the
value of g_dept_or_comp so it now says "All Departments" or "All Companies"
as appropriate.  That's committed too (which means all the language files
have changed slightly, though obviously only the English one is correct).

So all the files are checked in to whatever the current branch of PHPHD is
currently active.  I've also updated CHANGELOG, of course.

Now, to my mind, this a serious enough thing that we should consider
informing the user community of this and possibly expediting the release of
the changes to them in a more than "here's the CVS commands to get the
current snapshot" way.  Thoughts?

Given that I'm just a lowly developer (and an amateur one at that), I'm
quite comfortable bowing to other peoples' opinions, though I should note
that if I don't see a response to this in a reasonable amount of time (one
week), I'll consider it a sign that nobody cares all that much and write to
the PHPHD users list to let them know.

-roy