View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003245 | SOGo | Backend Address Book | public | 2015-06-10 10:50 | 2015-06-11 16:37 |
Reporter | stefancastille | Assigned To | francis | ||
Priority | low | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Platform | Browser | ||||
Product Version | 2.3.0 | ||||
Fixed in Version | 2.3.1 | ||||
Summary | 0003245: Unable to remove contacts in Address book | ||||
Description | Certain contacts cannot be removed from the address book. While the contacts are 'illegal', it is possible to create them. If you can have a target create these contacts, (eg through CSRF), he will not be able to remove them. | ||||
Steps To Reproduce | create a contact with ID test<a>test
| ||||
Additional Information | Since creating a contact in the address book does not depend on a CSRF token, this can be used in an attack against other users. The only information required is the username of the victim which is a lot of cases will simply be the email address. Note that the intercepting proxy is only required to easily reproduce, you can also create a webpage that triggers the altered POST request | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2015-06-10 10:50 | stefancastille | New Issue | |
2015-06-11 16:37 | francis | Note Added: 0008621 | |
2015-06-11 16:37 | francis | Status | new => resolved |
2015-06-11 16:37 | francis | Fixed in Version | => 2.3.1 |
2015-06-11 16:37 | francis | Resolution | open => fixed |
2015-06-11 16:37 | francis | Assigned To | => francis |