[ https://issues.apache.org/jira/browse/VCL-467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron Coburn updated VCL-467: ----------------------------- Summary: Members of a group from one affiliation have access to groups with the same name from other affiliations (was: Members of a group from one affiliation have access to groups from other affiliations with the same name) > Members of a group from one affiliation have access to groups with the same > name from other affiliations > -------------------------------------------------------------------------------------------------------- > > Key: VCL-467 > URL: https://issues.apache.org/jira/browse/VCL-467 > Project: VCL > Issue Type: Bug > Components: web gui (frontend) > Affects Versions: 2.2, 2.2.1 > Environment: PHP 5.1 on CentOS 5.5 > Reporter: Aaron Coburn > Labels: security > Fix For: 2.3 > > Original Estimate: 1h > Remaining Estimate: 1h > > A user with permission to edit a certain group for a certain affiliation has > access to the groups with the same name from other affiliations. For > instance, if a user is a member of admin@EXAMPLE1 and therefore can modify > the group All users@EXAMPLE1, it turns out that the user can also modify the > group All users@EXAMPLE2 and potentially also admin@EXAMPLE2. The reason for > this is that the permissions check in the PHP code is based on group name > rather than group ID. This appears to only affect the "Manage Groups" page > and the "Privileges" page. > I have included patches that check the value of 'editgroupid' rather than > just 'editgroup', thereby comparing unique IDs rather than possibly > non-unique names. > The .ht-inc/groups.php page can be fixed with this patch: > 137,138c137,138 > < if(array_key_exists("editgroup", $usergroups[$id]) && > < in_array($usergroups[$id]["editgroup"], $user["groups"])) > --- > > if(array_key_exists("editgroupid", $usergroups[$id]) && > > array_key_exists($usergroups[$id]["editgroupid"], > > $user["groups"])) > The .ht-inc/privileges.php page can be fixed with this patch: > 1715c1715,1716 > < . "g2.name AS editgroup " > --- > > . "g2.name AS editgroup, " > > . "g2.editusergroupid AS editgroupid " > 1727c1728 > < if($grpdata["ownerid"] != $user["id"] && ! > (in_array($grpdata["editgroup"], $user["groups"]))) { > --- > > if($grpdata["ownerid"] != $user["id"] && ! > > (array_key_exists($grpdata["editgroupid"], $user["groups"]))) { > 2592c2593 > < foreach($_user["groups"] as $groupname) { > --- > > foreach($_user["groups"] as $groupid => $groupname) { > 2594,2600c2595,2604 > < # (has cascaded $priv && ! have block at this node) return 1 > < if((array_key_exists($groupname, $privs["usergroups"]) && > < in_array($priv, $privs["usergroups"][$groupname]['privs'])) > || > < ((array_key_exists($groupname, $cascadePrivs["usergroups"]) > && > < in_array($priv, > $cascadePrivs["usergroups"][$groupname]['privs'])) && > < (! array_key_exists($groupname, $privs["usergroups"]) || > < ! in_array("block", > $privs["usergroups"][$groupname]['privs'])))) { > --- > > # (has cascaded $priv && ! have block at this node) return 1 > > if((array_key_exists($groupname, $privs["usergroups"]) && > > $groupid == $privs["usergroups"][$groupname]['id'] && > > in_array($priv, $privs["usergroups"][$groupname]['privs'])) || > > ((array_key_exists($groupname, $cascadePrivs["usergroups"]) && > > $groupid == $cascadePrivs["usergroups"][$groupname]['id'] && > > in_array($priv, > > $cascadePrivs["usergroups"][$groupname]['privs'])) && > > (! array_key_exists($groupname, $privs["usergroups"]) || > > (! in_array("block", $privs["usergroups"][$groupname]['privs']) > > && > > $privs["usergroups"][$groupname]['id'] == $groupid)))) { -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira