Product: Seafile server for Linux Vendor: Seafile Ltd. http://seafile.com/ Affected versions: 3.1.1, 3.0.4 and probably prior Fixed in version: 3.1.2 Founder of this vulnerability: Kimmo Huoman Vendor notification: 2014-08-05 Solution date: 2014-08-07 CVE reference: CVE-2014-5443 Description: Local horizontal privilege escalation Steps to reproduce: 1. Install seafile for user1 (using the defaults) 2. Start seafile for user1 (./seafile.sh start; ./seahub.start) [ to create admin account ] 3. Install seafile for user2 (no need to change any of the defaults, this won't be run at all) 4. Change user2 password with command-line tool (./reset-admin.sh) 5. Login to user1 installation as admin with the login information created in previous step 6. Check user1 email address and change password for that account with CLI 7. Login to UI with new information and browse files... Provided that the user hasn't logged out, he won't even notice the password change. Files keep on syncing etc also. Also all the files removed from the libraries (don't delete the library itself, just the files) are removed from the synced clients. The issue seems to be related to ccnet handling user accounts instead of Django, which allows password changing through the daemon running (be default) at port 13418. If I change port in ccnet.conf to another, the client can't connect and password can't be changed (before changing the ccnet.conf for other account to correspond). Changelog says: Use unix domain socket in ccnet to listen for local connections. This isolates the access to ccnet daemon for different users. Thanks to Kimmo Huoman and Henri Salo for reporting this issue. --- Henri Salo