View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003245SOGoBackend Address Bookpublic2015-06-10 10:502015-06-11 16:37
Reporterstefancastille Assigned Tofrancis  
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformBrowser 
Product Version2.3.0 
Fixed in Version2.3.1 
Summary0003245: Unable to remove contacts in Address book
Description

Certain contacts cannot be removed from the address book. While the contacts are 'illegal', it is possible to create them. If you can have a target create these contacts, (eg through CSRF), he will not be able to remove them.

Steps To Reproduce

create a contact with ID test<a>test

  1. setup a proxy to intercept the request
  2. create a new contact and intercept the request
  3. replace POST /SOGo/so/test@testdomain.com/Contacts/personal/261D-55757E00-11-3A795480.vcf/saveAsContact
    with
    POST /SOGo/so/test@testdomain.com/Contacts/personal/test<a>test/saveAsContact
  4. attempt to delete or move the contact
Additional Information

Since creating a contact in the address book does not depend on a CSRF token, this can be used in an attack against other users. The only information required is the username of the victim which is a lot of cases will simply be the email address.

Note that the intercepting proxy is only required to easily reproduce, you can also create a webpage that triggers the altered POST request

TagsNo tags attached.

Activities

francis

francis

2015-06-11 16:37

administrator   ~0008621

https://github.com/inverse-inc/sogo/commit/76196bf6f4f460fb93b7a791e2f58a6fb20c33f4

Issue History

Date Modified Username Field Change
2015-06-10 10:50 stefancastille New Issue
2015-06-11 16:37 francis Note Added: 0008621
2015-06-11 16:37 francis Status new => resolved
2015-06-11 16:37 francis Fixed in Version => 2.3.1
2015-06-11 16:37 francis Resolution open => fixed
2015-06-11 16:37 francis Assigned To => francis