View Issue Details

IDProjectCategoryView StatusLast Update
0003245SOGoBackend Address Bookpublic2015-06-11 16:37
Reporterstefancastille Assigned Tofrancis  
Status resolvedResolutionfixed 
Product Version2.3.0 
Fixed in Version2.3.1 
Summary0003245: Unable to remove contacts in Address book

Certain contacts cannot be removed from the address book. While the contacts are 'illegal', it is possible to create them. If you can have a target create these contacts, (eg through CSRF), he will not be able to remove them.

Steps To Reproduce

create a contact with ID test<a>test

  1. setup a proxy to intercept the request
  2. create a new contact and intercept the request
  3. replace POST /SOGo/so/
    POST /SOGo/so/<a>test/saveAsContact
  4. attempt to delete or move the contact
Additional Information

Since creating a contact in the address book does not depend on a CSRF token, this can be used in an attack against other users. The only information required is the username of the victim which is a lot of cases will simply be the email address.

Note that the intercepting proxy is only required to easily reproduce, you can also create a webpage that triggers the altered POST request

TagsNo tags attached.

Issue History

Date Modified Username Field Change
2015-06-10 10:50 stefancastille New Issue
2015-06-11 16:37 francis Note Added: 0008621
2015-06-11 16:37 francis Status new => resolved
2015-06-11 16:37 francis Fixed in Version => 2.3.1
2015-06-11 16:37 francis Resolution open => fixed
2015-06-11 16:37 francis Assigned To => francis