Product: Seafile server for Linux
Vendor: Seafile Ltd. http://seafile.com/
Affected versions: 3.1.1, 3.0.4 and probably prior
Fixed in version: 3.1.2
Founder of this vulnerability: Kimmo Huoman
Vendor notification: 2014-08-05
Solution date: 2014-08-07
CVE reference: CVE-2014-5443
Description:
Local horizontal privilege escalation
Steps to reproduce:
1. Install seafile for user1 (using the defaults)
2. Start seafile for user1 (./seafile.sh start; ./seahub.start) [ to create
admin account ]
3. Install seafile for user2 (no need to change any of the defaults, this won't
be run at all)
4. Change user2 password with command-line tool (./reset-admin.sh)
5. Login to user1 installation as admin with the login information created in
previous step
6. Check user1 email address and change password for that account with CLI
7. Login to UI with new information and browse files...
Provided that the user hasn't logged out, he won't even notice the password
change. Files keep on syncing etc also. Also all the files removed from the
libraries (don't delete the library itself, just the files) are removed from the
synced clients.
The issue seems to be related to ccnet handling user accounts instead of Django,
which allows password changing through the daemon running (be default) at port
13418. If I change port in ccnet.conf to another, the client can't connect and
password can't be changed (before changing the ccnet.conf for other account to
correspond).
Changelog says:
Use unix domain socket in ccnet to listen for local connections. This isolates
the access to ccnet daemon for different users. Thanks to Kimmo Huoman and Henri
Salo for reporting this issue.
---
Henri Salo