privilege escalation / wrong permissions z-push and shared folders



  • Hi,

    Z-Push: 2.3.8+0-0
    PHP-MAPI: 8.4.5.0

    Two users, sw and th, both having granted each other read permissions in own calendar
    additionally, i have set each others calendar in z-push.conf.php to be shared. that works but private calendar entries can be read by each other and the opposite person can not read its own private calendar entries! They are just shown as “private” without any text at all. looks clearly like an z-push/kopano bug.

    Removing the shared calendar stanza from config and resync calenderas brings back visibility of own private entries. only setting a single calendar as shared did also not show the issue.

    Any help is grealy appreciated. already did several full resyncs and removed the accounts from devices and readded them. no change.

        array(
            'store'     => "th",
            'folderid'  => "67d6431c83e046cf9cd86b5f372bc306c20000000000",
            'name'      => "th Kontakte",
            'type'      => SYNC_FOLDER_TYPE_USER_APPOINTMENT,
        ),
    
        array(
            'store'     => "sw",
            'folderid'  => "67d6431c83e046cf9cd86b5f372bc3063f0000000000",
            'name'      => "sw Kontakte",
            'type'      => SYNC_FOLDER_TYPE_USER_APPOINTMENT,
        ),
    
    );
    
    root@mailserver:/home/admin# /usr/share/z-push/backend/kopano/listfolders.php -l sw
    Available folders in store 'sw':
    --------------------------------------------------
    Folder name:	Kalender
    Folder ID:	67d6431c83e046cf9cd86b5f372bc3063f0000000000
    Type:		SYNC_FOLDER_TYPE_USER_APPOINTMENT
    
    
    root@mailserver:/home/admin# /usr/share/z-push/backend/kopano/listfolders.php -l th
    Available folders in store 'th':
    --------------------------------------------------
    
    Folder name:	Kalender
    Folder ID:	67d6431c83e046cf9cd86b5f372bc306c20000000000
    Type:		SYNC_FOLDER_TYPE_USER_APPOINTMENT
    

    calendar is distributed to each others devices (ios & android with nine e-mail app)

    root@mailserver:/home/admin# z-push-admin -u sw -a list
    
    Synchronized devices of user: sw
    -----------------------------------------------------
    DeviceId:		5f6eopsocd6jvfeo6bv5r6h4t8
    Device type:		iPad
    UserAgent:		Apple-iPad4C4/1503.153
    Device Model:		iPad4C4
    Device friendly name:	iPad mini 2
    Device OS:		iOS 11.2.1 15C153
    Device OS Language:	de-DE
    ActiveSync version:	14.0
    First sync:		2018-01-18 15:22
    Last sync:		2018-01-18 15:41
    Total folders:		12
    Short folder Ids:	Yes
    Synchronized folders:	7
    Synchronized data:	Calendars(2) Emails(2) Contacts Notes Tasks 
    Additional Folders:	2
    	Configured Calendar th             th Kontakte          Active 
    	Configured Calendar sw             sw Kontakte          Active 
    Status:			Not available
    WipeRequest on:		not set
    WipeRequest by:		not set
    Wiped on:		not set
    Policy name:		default
    Attention needed:	No errors known
    

    root@mailserver:/home/admin# z-push-admin -u th -a list

    Synchronized devices of user: th
    
    -----------------------------------------------------
    DeviceId:		5a0rc98qfh2ur5l5m83vdu9mv4
    Device type:		iPad
    UserAgent:		Apple-iPad5C3/1503.202
    Device Model:		iPad5C3
    Device friendly name:	iPad Air 2
    Device OS:		iOS 11.2.2 15C202
    Device OS Language:	de-DE
    ActiveSync version:	14.0
    First sync:		2017-12-21 17:18
    Last sync:		2018-01-18 16:01
    Total folders:		46
    Short folder Ids:	Yes
    Synchronized folders:	42
    Synchronized data:	Emails(37) Contacts Calendars(2) Notes Tasks 
    Additional Folders:	2
    	Configured Calendar th             th Kontakte          Active 
    	Configured Calendar sw             sw Kontakte          Active 
    Status:			OK
    WipeRequest on:		not set
    WipeRequest by:		not set
    Wiped on:		not set
    Policy name:		default
    Attention needed:	No errors known
    -----------------------------------------------------
    DeviceId:		nine1d0875dc8fa2
    Device type:		Android
    UserAgent:		Nine-xcover3ltexx/LMY48B
    Device Model:		SM-G388F
    Device IMEI:		.........
    Device friendly name:	xcover3ltexx
    Device OS:		Android 5.1.1.G388FXXS1BPL2
    Device OS Language:	German (Germany)
    Device Phone nr:	+49............
    Device Operator:	Telekom.de
    ActiveSync version:	14.0
    First sync:		2018-01-10 07:26
    Last sync:		2018-01-18 16:43
    Total folders:		47
    Short folder Ids:	Yes
    Synchronized folders:	7
    Synchronized data:	Emails(2) Contacts Calendars(2) Notes Tasks 
    Additional Folders:	2
    	Configured Calendar th             th Kontakte          Active 
    	Configured Calendar sw             sw Kontakte          Active 
    Status:			Not available
    WipeRequest on:		not set
    WipeRequest by:		not set
    Wiped on:		not set
    Policy name:		default
    Attention needed:	No errors known
    

  • Kopano

    Hi @plzk-de ,

    since you are also in contact with our support (KS-39776) I’ll close up here to prevent double work.


Locked