Using eGroupware 14.1 via CardDAV with Apple’s Addressbook.app, when trying to create a new contact, the authenticated user’s profile will be updated instead. The steps to reproduce the problem:
- eGroupware is set up for auto-detection with a set of ReWriteRules in the web server’s root
- Create an account in Addressbook, just using the host name as server address, and using an existing eGroupware user’s credentials (e.g. bob and his password); looking at the created account will reveal a server path of /egroupware/groupdav.php/principals/users/bob/
- Wait for Addressbook to sync
- add a new contact, fill out name, e-mail address, phone number, etc., and click Finish
- some synchronization will occur
- log in to eGroupware using the credentials of bob that you were giving to Addressbook’s account, and you will find that you now acquired name, e-mail address, phone number, etc. of the contact you just were trying to add. Bob is still login bob, but his name is now Alice
- same applies even if bob does not have permission to change his own profile information
The latter implies that, beside any bugs that Addressbook might have in its CardDAV implementation, that any user can alter their contact information even if they’re not authorized by eGroupware setup!
