0003695: Private information leakage through ics/XML feeds when restricted to "View the Date & Time" - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0003695	SOGo	Backend Calendar	public	2016-05-25 12:04	2016-07-04 18:47

Reporter	Jens Erat	Assigned To	ludovic
Priority	urgent	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2.3.9
Fixed in Version	2.3.12

Summary	0003695: Private information leakage through ics/XML feeds when restricted to "View the Date & Time"
Description	Private information is leaked through the ics and XML calendar feeds. It seems, a blacklist approach is used for filtering description and other fields, but this results in insufficient filtering and leakage of information. Ad hoc, I was able to observe following fields containing critical information: ORGANIZER (who invited the calendar owner?) X-ALT-DESC (Outlook-specific extended copy of the description?) Several other attributes have also been shared. Instead of a blacklist approach, a whitelist approach only returning a required set (like start and end time) should be applied, so implementation-specific fields are generally blocked. The set of allowed fields should be minimal.
Steps To Reproduce	User Alice: Right click calendar Open Sharing Open "Any Authenticated User" Enable "View the Date & Time" for some confidentiality level Import attached appointment Any other authenticated user: Fetch ICS feed Search for X-ALT-DESC attribute
Tags	No tags attached.

Jens Erat 2016-05-25 12:04 reporter	x-alt-desc-appointment.ics (1,562 bytes) BEGIN:VCALENDAR VERSION:2.0 BEGIN:VTIMEZONE TZID:Westeuropäische Normalzeit BEGIN:STANDARD DTSTART:19710101T030000 TZOFFSETTO:+0100 TZOFFSETFROM:+0200 RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=10;BYDAY=-1SU;WKST=MO END:STANDARD BEGIN:DAYLIGHT DTSTART:19710101T020000 TZOFFSETTO:+0200 TZOFFSETFROM:+0100 RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=3;BYDAY=-1SU;WKST=MO END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:040000008200E00074C5B7101A82E00800000000101624DAAC21CA01000000000000000 01000000065EED4FCBAF7074390A8B7BC0DEE8FFF SUMMARY:und noch einer X-ALT-DESC;FMTTYPE=text/html:<!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN >\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=Content-Type CONTENT=text/html\\\; cha rset=utf-8>\n<META NAME=Generator CONTENT=MS Exchange Server version 08.00 .0681.000>\n<TITLE>und noch einer</TITLE>\n</HEAD>\n<BODY>\n<!-- Converted from text/rtf format -->\n\n<P DIR=LTR><SPAN LANG=de></SPAN></P>\n\n</BOD Y>\n</HTML> ATTENDEE;ROLE=REQ-PARTICIPANT;CN=sabine.musterfrau@cal.uni-konstanz.de;PART STAT=TENTATIVE;RSVP=TRUE:mailto:sabine.musterfrau@cal.uni-konstanz.de ORGANIZER;CN=hugine.habicht@uni-konstanz.de:mailto:hugine.habicht@uni-konst anz.de DTSTART;TZID=Westeuropäische Normalzeit:20090825T080000 DTEND;TZID=Westeuropäische Normalzeit:20090825T083000 STATUS:CONFIRMED CLASS:PUBLIC X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY TRANSP:OPAQUE X-MICROSOFT-DISALLOW-COUNTER:TRUE DTSTAMP:20090820T134029Z SEQUENCE:0 BEGIN:VALARM ACTION:DISPLAY TRIGGER;RELATED=START:-PT15M END:VALARM END:VEVENT END:VCALENDAR x-alt-desc-appointment.ics (1,562 bytes)

ludovic 2016-05-26 18:46 administrator ~0010216	https://github.com/inverse-inc/sogo/commit/e4ac2c7603d9254dd12775a9535631e90a78c3f5 Also fixed in v3.1.1. Note that the Organization "leakage" wasn't too much of a deal because it can only be the owner of the calendar you're pumping data from. So in reality, you know that person. As for X- tags, we now strip them.

Jens Erat 2016-05-27 07:30 reporter ~0010222	ORGANIZER can also be somebody else, so if Alice invites Bob and you look into Bob's calendar, you realize Alice is ORGANIZER. Anyway, at least the information is leaked that the appointment is one with somebody invited, which is more than "date and time". I had a look at the standard and realized that there are quite a number of additional VEVENT attributes, with lots of them rather sensitive. I attached another appointment with some of them, at least with 2.3.9 all of them are passed through, and reading the patch I don't see that this is fixed yet. Some of them are fine for sure, I just listed all of the attributes. Most of the attributes are probably even wrong, I just added a string everywhere. Also be aware that some attributes are allowed multiple times.

Jens Erat 2016-05-27 07:31 reporter	ics-attributes.ics (2,103 bytes) BEGIN:VCALENDAR VERSION:2.0 BEGIN:VTIMEZONE TZID:Westeuropäische Normalzeit BEGIN:STANDARD DTSTART:19710101T030000 TZOFFSETTO:+0100 TZOFFSETFROM:+0200 RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=10;BYDAY=-1SU;WKST=MO END:STANDARD BEGIN:DAYLIGHT DTSTART:19710101T020000 TZOFFSETTO:+0200 TZOFFSETFROM:+0100 RRULE:FREQ=YEARLY;INTERVAL=1;BYMONTH=3;BYDAY=-1SU;WKST=MO END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:040000008200E00074C5B7101A82E00800000000101624DAAC21CA01000000000000000 01000000065EED4FCBAF7074390A8B7BC0DEE8FFF SUMMARY:summary CLASS:und noch einer CREATED:und noch einer GEO:und noch einer LAST-MOD:und noch einer LOCATION:und noch einer DESCRIPTION:und noch einer PRIORITY:und noch einer SEQ:und noch einer STATUS:und noch einer TRANSPR:und noch einer URL:und noch einer ATTACH:und noch einer ATTENDEE:und noch einer CATEGORIES:und noch einer COMMENT:und noch einer CONTACT:und noch einer EXDATE:und noch einer RSTATUS:und noch einer RELATED:und noch einer RESOURCES:und noch einer RDATE:und noch einer RELATED:und noch einer RELATED:und noch einer X-ALT-DESC;FMTTYPE=text/html:<!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN >\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=Content-Type CONTENT=text/html\\\; cha rset=utf-8>\n<META NAME=Generator CONTENT=MS Exchange Server version 08.00 .0681.000>\n<TITLE>und noch einer</TITLE>\n</HEAD>\n<BODY>\n<!-- Converted from text/rtf format -->\n\n<P DIR=LTR><SPAN LANG=de></SPAN></P>\n\n</BOD Y>\n</HTML> ATTENDEE;ROLE=REQ-PARTICIPANT;CN=sabine.musterfrau@cal.uni-konstanz.de;PART STAT=TENTATIVE;RSVP=TRUE:mailto:sabine.musterfrau@cal.uni-konstanz.de ORGANIZER;CN=hugine.habicht@uni-konstanz.de:mailto:hugine.habicht@uni-konst anz.de DTSTART;TZID=Westeuropäische Normalzeit:20160527T080000 DTEND;TZID=Westeuropäische Normalzeit:20160527T090000 STATUS:CONFIRMED CLASS:PUBLIC X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY TRANSP:OPAQUE X-MICROSOFT-DISALLOW-COUNTER:TRUE DTSTAMP:20090820T134029Z SEQUENCE:0 BEGIN:VALARM ACTION:DISPLAY TRIGGER;RELATED=START:-PT15M END:VALARM END:VEVENT END:VCALENDAR ics-attributes.ics (2,103 bytes)

sogo: master 875a4aca 2016-05-27 10:53 ludovic Details Diff	(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696)		Affected Issues 0003695
	mod - SoObjects/Appointments/SOGoCalendarComponent.m		Diff File
	mod - SoObjects/SOGo/SOGoUserSettings.h		Diff File
	mod - SoObjects/SOGo/SOGoUserSettings.m		Diff File
sogo: v2 717f45f6 2016-05-27 10:53 ludovic Details Diff	(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696) Conflicts: SoObjects/Appointments/SOGoCalendarComponent.m		Affected Issues 0003695
	mod - SoObjects/Appointments/SOGoCalendarComponent.m		Diff File
	mod - SoObjects/SOGo/SOGoUserSettings.h		Diff File
	mod - SoObjects/SOGo/SOGoUserSettings.m		Diff File

Date Modified	Username	Field	Change
2016-05-25 12:04	Jens Erat	New Issue
2016-05-25 12:04	Jens Erat	File Added: x-alt-desc-appointment.ics
2016-05-26 18:46	ludovic	Note Added: 0010216
2016-05-26 18:46	ludovic	Status	new => resolved
2016-05-26 18:46	ludovic	Fixed in Version	=> 2.3.12
2016-05-26 18:46	ludovic	Resolution	open => fixed
2016-05-26 18:46	ludovic	Assigned To	=> ludovic
2016-05-27 07:30	Jens Erat	Note Added: 0010222
2016-05-27 07:30	Jens Erat	Status	resolved => feedback
2016-05-27 07:30	Jens Erat	Resolution	fixed => reopened
2016-05-27 07:31	Jens Erat	File Added: ics-attributes.ics
2016-05-27 14:55	ludovic	Changeset attached	=> sogo master 875a4aca
2016-05-27 14:55	ludovic	Status	feedback => resolved
2016-05-27 14:55	ludovic	Resolution	reopened => fixed
2016-05-27 14:56	ludovic	Changeset attached	=> sogo v2 717f45f6
2016-07-04 18:47	ludovic	View Status	private => public