Hello:
On Thu, 27 Mar 2008, Tibor Simko wrote:
> *) fixed alert deletion tool vulnerability (WebAlert)
We have been contacted to provide more information on this point.
This vulnerability concerned the email notification alert facility in
CDS Invenio 0.92.1 and several previous versions. The highest
theoretical impact could have been for a malicious registered user A
to delete the personal email notification alerts set up by another
registered user B. For this to happen, the user A would have to know
the internal UID of the user B and would have to pass it as an URL
parameter when deleting his own alerts. The vulnerability existed
only on the user alert set up level and did not offer any break-in
potential of any sort.
Here is a simple patch fixing this problem for CDS Invenio 0.92.1:
$ cat /tmp/z.patch
@@ -264,6 +264,7 @@
# remove a row from the alerts table: user_query_basket
query = """DELETE FROM user_query_basket
- WHERE id_user='%s' AND id_query='%s' AND id_basket='%s'"""
- query %= (id_user, id_query, id_basket)
+ WHERE id_user='%s' AND id_query='%s' AND id_basket='%s'
+ AND id_user='%s'"""
+ query %= (id_user, id_query, id_basket, uid)
run_sql(query)
out += "The alert <b>%s</b> has been removed from your profile.<br /><br
/>\n" % alert_name
You can apply it in the following way:
$ cd /opt/cds-invenio/lib/python/invenio
$ patch webalert.py /tmp/z.patch
$ sudo apachectl restart
Best regards
--
Tibor Simko ** CERN Document Server ** <http://cds.cern.ch/>
