Adobe Connect User Community
Menu

#1 2014-06-05 11:39:04

axml

Adobe Connect API/Webservices - Serious bug - Security issue

I found a huge security/bug issue in the Adobe Connect API/Webservice method  principal-update. I discovered that it is possible to update existing users just by using their Login ID instead of Principal ID:

Say I create a user John Doe:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=John&last-name=Doe&login=jdoe&password=asdasdasd&has-children=false

If I try to create another user Robert Ford with the same USERNAME:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=Robert&last-name=Ford&login=jdoe&password=asdasdfff&has-children=false

No error will be shown, INSTEAD it will change John Doe's first name/last name to Robert's name! This is a huge serious bug.

It SHOULD ONLY UPDATE users WHEN A PRINCIPAL ID IS PASSED IN. In fact, in Adobe's own documentation...it states to use a Prinicpal ID to update the user.

So HOW exactly should I prevent this???? I cannot check if the login id exists before creating the user because that is not guaranteed.

Offline

Board footer