Commit 13767fbe authored by David Byers's avatar David Byers

Added a pile of (now) known information leaks.

parent c1e08a06
......@@ -3,12 +3,132 @@ server.
* Showstoppers
** We still leak secrets
*** login, login_old
If the person is secret we should return KOM_UNDEF_PERS unless the
password is correct or the session has privileges to see the
person. Right now we can map out secret persons by attempting to
log in with the wrong password.
*** change_conference
If the conference exists but is secret we return not-member. We
should return KOM_UNDEF_CONF.
*** create_person_old
*** create_person
*** change_name
*** create_conf
*** create_conf_old
If we try to use a name to the name of a secret conference we
return KOM_CONF_EXISTS. We can't really do a lot to prevent this.
*** get_session_info
*** get_session_info_ident
Returns the number of secret persons and secret conferences even
if the viewer has no right to see them.
*** set_priv_bits
*** set_passwd
Does not check if the caller is allowed to see the person.
*** get_unread_confs
Does not check that the caller is allowed to see the person, and
returns the correct result even for secret persons, including
secret confs!
*** set_user_area
*** set_presentation (do_set_presentation)
*** set_etc_motd (do_set_etc_motd)
Allows us to set user area to any text, even secret ones. Leaks
information by returning error for deleted texts and non-error for
all other texts.
*** modify_conf_info
No check for secret confs. Might permit modification of any conf.
*** lookup_name and similar functions
Not really checked.
*** get-members
Leaks number of secret members since they are not completely
deleted from the member list, just zeroed out.
*** add_member
*** add_member_old
Returns KOM_INVALID_MEMBERSHIP if we attempt to add secret person
to open conf as secret member when conf does not allow secret
members. This allows us to find all secret persons. This check is
done before we check if the user making the call is allowed to see
the conference, so it lets us find out which secret conferences
allow secret members. It is possible to add secret persons as
memberships. If the person is already a secret member the call
appears to succeed but the membership is still secret, so it is
possible to find all persons who are secret members of a
conference.
*** sub_member
No access check on conference or person before attempting to
locate membership. As a result we can find out if a conference
exists by attempting to sub_member with a nonexistant person. If
we get a KOM_UNDEF_PERS, the conference exists. Fix by doing
access checks right after getting the conf_c and pers_p from the
database. The final if statement is also suspect.
*** set_unread
*** set_last_read
No access check on conference before attempting to locate
membership. This means we can locate all secret conferences.
*** set_permitted_submitters
*** set_supervisor
*** set_super_conf
Existance check for new supervisor/permitted submitters/super
before access check on conference being changed. We can use this
to map out all secret conferences.
*** set_conf_type
No access check on conference before examining conference type.
Use this to map out all secret conferences.
*** unmark_text
No access check on the text. This is done in do_unmark_text, but
is is not immediately obvious why it works (although it does.)
Should add an explicit search for the mark before doing anything
else. Maybe.
*** mark_as_read
No access check on conf before attempting to locate membership. We
can use this to map out all secret conferences.
*** modify_text_info
No check for read access on text before check if we can delete
items. This can be used to map out all secret texts. Deletion
proceeds even for secret texts. This is bad, bad, bad.
*** sub_footnote
*** sub_comment
No read access check on texts before checking if they are
comments. This allows us to map out all secret texts and all
comment chains (just try sub_comment for all pairs of texts that
might be in the system or all secret texts found by some other
method.)
*** get-last-text
May return a secret text since no access checks are made on the
result.
*** who_is_on_dynamic
*** who_is_on_ident
*** who_is_on
*** who_is_on_old
Returns secret persons and secret working conferences. No
filtering is done on the result.
** Regex matching with the collate table does not work.
The test for param.regexps_use_collate_table is inverted.
It doesn't work anyway. Results are *strange*.
** Add CHK_CONNECTION to remaining RPC handlers.
* High priority, but they can wait until after the next release.
** async-text-deleted (and possibly others) should be sent to
......@@ -731,6 +851,9 @@ server.
ay_sub_recipient when texts are deleted.
DONE
** Add CHK_CONNECTION to remaining RPC handlers.
DONE
* In progress
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment