SOGo | BTS

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003695SOGoBackend Calendarpublic2016-05-25 08:042016-07-04 14:47
ReporterJens Erat 
Assigned Toludovic 
PriorityurgentSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.3.9 
Target VersionFixed in Version2.3.12 
Summary0003695: Private information leakage through ics/XML feeds when restricted to "View the Date & Time"
DescriptionPrivate information is leaked through the ics and XML calendar feeds. It seems, a blacklist approach is used for filtering description and other fields, but this results in insufficient filtering and leakage of information. Ad hoc, I was able to observe following fields containing critical information:

- ORGANIZER (who invited the calendar owner?)
- X-ALT-DESC (Outlook-specific extended copy of the description?)

Several other attributes have also been shared.

Instead of a blacklist approach, a whitelist approach only returning a required set (like start and end time) should be applied, so implementation-specific fields are generally blocked. The set of allowed fields should be minimal.
Steps To ReproduceUser Alice:

- Right click calendar
- Open Sharing
- Open "Any Authenticated User"
- Enable "View the Date & Time" for some confidentiality level
- Import attached appointment

Any other authenticated user:

- Fetch ICS feed
- Search for X-ALT-DESC attribute
TagsNo tags attached.
Attached Files? file icon x-alt-desc-appointment.ics [^] (1,562 bytes) 2016-05-25 08:04
? file icon ics-attributes.ics [^] (2,103 bytes) 2016-05-27 03:31

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0010216)
ludovic (administrator)
2016-05-26 14:46

https://github.com/inverse-inc/sogo/commit/e4ac2c7603d9254dd12775a9535631e90a78c3f5 [^]

Also fixed in v3.1.1.

Note that the Organization "leakage" wasn't too much of a deal because it can only be the owner of the calendar you're pumping data from. So in reality, you know that person.

As for X- tags, we now strip them.
(0010222)
Jens Erat (reporter)
2016-05-27 03:30

ORGANIZER can also be somebody else, so if Alice invites Bob and you look into Bob's calendar, you realize Alice is ORGANIZER. Anyway, at least the information is leaked that the appointment is one with somebody invited, which is more than "date and time".

I had a look at the standard and realized that there are quite a number of additional VEVENT attributes, with lots of them rather sensitive. I attached another appointment with some of them, at least with 2.3.9 all of them are passed through, and reading the patch I don't see that this is fixed yet.

Some of them are fine for sure, I just listed all of the attributes. Most of the attributes are probably even wrong, I just added a string everywhere. Also be aware that some attributes are allowed multiple times.

- Related Changesets
sogo: master 875a4aca
Timestamp: 2016-05-27 10:53:16
Author: ludovic
Details ] Diff ]
(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696)
mod - SoObjects/Appointments/SOGoCalendarComponent.m Diff ] File ]
mod - SoObjects/SOGo/SOGoUserSettings.h Diff ] File ]
mod - SoObjects/SOGo/SOGoUserSettings.m Diff ] File ]
sogo: v2 717f45f6
Timestamp: 2016-05-27 10:53:16
Author: ludovic
Details ] Diff ]
(fix) improved previous commit for attributes stripping and UID generation (fixes 0003695 and 0003696)

Conflicts:

SoObjects/Appointments/SOGoCalendarComponent.m
mod - SoObjects/Appointments/SOGoCalendarComponent.m Diff ] File ]
mod - SoObjects/SOGo/SOGoUserSettings.h Diff ] File ]
mod - SoObjects/SOGo/SOGoUserSettings.m Diff ] File ]

- Issue History
Date Modified Username Field Change
2016-05-25 08:04 Jens Erat New Issue
2016-05-25 08:04 Jens Erat File Added: x-alt-desc-appointment.ics
2016-05-26 14:46 ludovic Note Added: 0010216
2016-05-26 14:46 ludovic Status new => resolved
2016-05-26 14:46 ludovic Fixed in Version => 2.3.12
2016-05-26 14:46 ludovic Resolution open => fixed
2016-05-26 14:46 ludovic Assigned To => ludovic
2016-05-27 03:30 Jens Erat Note Added: 0010222
2016-05-27 03:30 Jens Erat Status resolved => feedback
2016-05-27 03:30 Jens Erat Resolution fixed => reopened
2016-05-27 03:31 Jens Erat File Added: ics-attributes.ics
2016-05-27 10:55 ludovic Changeset attached => sogo master 875a4aca
2016-05-27 10:55 ludovic Status feedback => resolved
2016-05-27 10:55 ludovic Resolution reopened => fixed
2016-05-27 10:56 ludovic Changeset attached => sogo v2 717f45f6
2016-07-04 14:47 ludovic View Status private => public


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker