View Issue Details

IDProjectCategoryView StatusLast Update
0003695SOGoBackend Calendarpublic2016-07-04 14:47
ReporterJens Erat Assigned Toludovic  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.3.9 
Fixed in Version2.3.12 
Summary0003695: Private information leakage through ics/XML feeds when restricted to "View the Date & Time"
Description

Private information is leaked through the ics and XML calendar feeds. It seems, a blacklist approach is used for filtering description and other fields, but this results in insufficient filtering and leakage of information. Ad hoc, I was able to observe following fields containing critical information:

  • ORGANIZER (who invited the calendar owner?)
  • X-ALT-DESC (Outlook-specific extended copy of the description?)

Several other attributes have also been shared.

Instead of a blacklist approach, a whitelist approach only returning a required set (like start and end time) should be applied, so implementation-specific fields are generally blocked. The set of allowed fields should be minimal.

Steps To Reproduce

User Alice:

  • Right click calendar
  • Open Sharing
  • Open "Any Authenticated User"
  • Enable "View the Date & Time" for some confidentiality level
  • Import attached appointment

Any other authenticated user:

  • Fetch ICS feed
  • Search for X-ALT-DESC attribute
TagsNo tags attached.

Activities

Jens Erat

Jens Erat

2016-05-25 08:04

reporter  

x-alt-desc-appointment.ics (1,562 bytes)   
BEGIN:VCALENDAR
VERSION:2.0
BEGIN:VTIMEZONE
TZID:Westeuropäische Normalzeit
BEGIN:STANDARD
DTSTART:19710101T030000
TZOFFSETTO:+0100
TZOFFSETFROM:+0200
RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=10;BYDAY=-1SU;WKST=MO
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19710101T020000
TZOFFSETTO:+0200
TZOFFSETFROM:+0100
RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=3;BYDAY=-1SU;WKST=MO
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:040000008200E00074C5B7101A82E00800000000101624DAAC21CA01000000000000000
 01000000065EED4FCBAF7074390A8B7BC0DEE8FFF
SUMMARY:und noch einer
X-ALT-DESC;FMTTYPE=text/html:<!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN
 >\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=Content-Type CONTENT=text/html\\\; cha
 rset=utf-8>\n<META NAME=Generator CONTENT=MS Exchange Server version 08.00
 .0681.000>\n<TITLE>und noch einer</TITLE>\n</HEAD>\n<BODY>\n<!-- Converted
  from text/rtf format -->\n\n<P DIR=LTR><SPAN LANG=de></SPAN></P>\n\n</BOD
 Y>\n</HTML>
ATTENDEE;ROLE=REQ-PARTICIPANT;CN=sabine.musterfrau@cal.uni-konstanz.de;PART
 STAT=TENTATIVE;RSVP=TRUE:mailto:sabine.musterfrau@cal.uni-konstanz.de
ORGANIZER;CN=hugine.habicht@uni-konstanz.de:mailto:hugine.habicht@uni-konst
 anz.de
DTSTART;TZID=Westeuropäische Normalzeit:20090825T080000
DTEND;TZID=Westeuropäische Normalzeit:20090825T083000
STATUS:CONFIRMED
CLASS:PUBLIC
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
TRANSP:OPAQUE
X-MICROSOFT-DISALLOW-COUNTER:TRUE
DTSTAMP:20090820T134029Z
SEQUENCE:0
BEGIN:VALARM
ACTION:DISPLAY
TRIGGER;RELATED=START:-PT15M
END:VALARM
END:VEVENT
END:VCALENDAR
x-alt-desc-appointment.ics (1,562 bytes)   
ludovic

ludovic

2016-05-26 14:46

administrator   ~0010216

https://github.com/inverse-inc/sogo/commit/e4ac2c7603d9254dd12775a9535631e90a78c3f5

Also fixed in v3.1.1.

Note that the Organization "leakage" wasn't too much of a deal because it can only be the owner of the calendar you're pumping data from. So in reality, you know that person.

As for X- tags, we now strip them.

Jens Erat

Jens Erat

2016-05-27 03:30

reporter   ~0010222

ORGANIZER can also be somebody else, so if Alice invites Bob and you look into Bob's calendar, you realize Alice is ORGANIZER. Anyway, at least the information is leaked that the appointment is one with somebody invited, which is more than "date and time".

I had a look at the standard and realized that there are quite a number of additional VEVENT attributes, with lots of them rather sensitive. I attached another appointment with some of them, at least with 2.3.9 all of them are passed through, and reading the patch I don't see that this is fixed yet.

Some of them are fine for sure, I just listed all of the attributes. Most of the attributes are probably even wrong, I just added a string everywhere. Also be aware that some attributes are allowed multiple times.

Jens Erat

Jens Erat

2016-05-27 03:31

reporter  

ics-attributes.ics (2,103 bytes)   
BEGIN:VCALENDAR
VERSION:2.0
BEGIN:VTIMEZONE
TZID:Westeuropäische Normalzeit
BEGIN:STANDARD
DTSTART:19710101T030000
TZOFFSETTO:+0100
TZOFFSETFROM:+0200
RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=10;BYDAY=-1SU;WKST=MO
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19710101T020000
TZOFFSETTO:+0200
TZOFFSETFROM:+0100
RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=3;BYDAY=-1SU;WKST=MO
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:040000008200E00074C5B7101A82E00800000000101624DAAC21CA01000000000000000
 01000000065EED4FCBAF7074390A8B7BC0DEE8FFF
SUMMARY:summary
CLASS:und noch einer
CREATED:und noch einer
GEO:und noch einer
LAST-MOD:und noch einer
LOCATION:und noch einer
DESCRIPTION:und noch einer
PRIORITY:und noch einer
SEQ:und noch einer
STATUS:und noch einer
TRANSPR:und noch einer
URL:und noch einer
ATTACH:und noch einer
ATTENDEE:und noch einer
CATEGORIES:und noch einer
COMMENT:und noch einer
CONTACT:und noch einer
EXDATE:und noch einer
RSTATUS:und noch einer
RELATED:und noch einer
RESOURCES:und noch einer
RDATE:und noch einer
RELATED:und noch einer
RELATED:und noch einer
X-ALT-DESC;FMTTYPE=text/html:<!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN
 >\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=Content-Type CONTENT=text/html\\\; cha
 rset=utf-8>\n<META NAME=Generator CONTENT=MS Exchange Server version 08.00
 .0681.000>\n<TITLE>und noch einer</TITLE>\n</HEAD>\n<BODY>\n<!-- Converted
  from text/rtf format -->\n\n<P DIR=LTR><SPAN LANG=de></SPAN></P>\n\n</BOD
 Y>\n</HTML>
ATTENDEE;ROLE=REQ-PARTICIPANT;CN=sabine.musterfrau@cal.uni-konstanz.de;PART
 STAT=TENTATIVE;RSVP=TRUE:mailto:sabine.musterfrau@cal.uni-konstanz.de
ORGANIZER;CN=hugine.habicht@uni-konstanz.de:mailto:hugine.habicht@uni-konst
 anz.de
DTSTART;TZID=Westeuropäische Normalzeit:20160527T080000
DTEND;TZID=Westeuropäische Normalzeit:20160527T090000
STATUS:CONFIRMED
CLASS:PUBLIC
X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY
TRANSP:OPAQUE
X-MICROSOFT-DISALLOW-COUNTER:TRUE
DTSTAMP:20090820T134029Z
SEQUENCE:0
BEGIN:VALARM
ACTION:DISPLAY
TRIGGER;RELATED=START:-PT15M
END:VALARM
END:VEVENT
END:VCALENDAR
ics-attributes.ics (2,103 bytes)   

Related Changesets

sogo: master 875a4aca

2016-05-27 10:53:16

ludovic

Details Diff
(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696) Affected Issues
0003695
mod - SoObjects/Appointments/SOGoCalendarComponent.m Diff File
mod - SoObjects/SOGo/SOGoUserSettings.h Diff File
mod - SoObjects/SOGo/SOGoUserSettings.m Diff File

sogo: v2 717f45f6

2016-05-27 10:53:16

ludovic

Details Diff
(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696)

Conflicts:

SoObjects/Appointments/SOGoCalendarComponent.m
Affected Issues
0003695
mod - SoObjects/Appointments/SOGoCalendarComponent.m Diff File
mod - SoObjects/SOGo/SOGoUserSettings.h Diff File
mod - SoObjects/SOGo/SOGoUserSettings.m Diff File

Issue History

Date Modified Username Field Change
2016-05-25 08:04 Jens Erat New Issue
2016-05-25 08:04 Jens Erat File Added: x-alt-desc-appointment.ics
2016-05-26 14:46 ludovic Note Added: 0010216
2016-05-26 14:46 ludovic Status new => resolved
2016-05-26 14:46 ludovic Fixed in Version => 2.3.12
2016-05-26 14:46 ludovic Resolution open => fixed
2016-05-26 14:46 ludovic Assigned To => ludovic
2016-05-27 03:30 Jens Erat Note Added: 0010222
2016-05-27 03:30 Jens Erat Status resolved => feedback
2016-05-27 03:30 Jens Erat Resolution fixed => reopened
2016-05-27 03:31 Jens Erat File Added: ics-attributes.ics
2016-05-27 10:55 ludovic Changeset attached => sogo master 875a4aca
2016-05-27 10:55 ludovic Status feedback => resolved
2016-05-27 10:55 ludovic Resolution reopened => fixed
2016-05-27 10:56 ludovic Changeset attached => sogo v2 717f45f6
2016-07-04 14:47 ludovic View Status private => public