- Topics: Active | Unanswered
#1 2014-06-05 11:39:04
- axml
Adobe Connect API/Webservices - Serious bug - Security issue
I found a huge security/bug issue in the Adobe Connect API/Webservice method principal-update. I discovered that it is possible to update existing users just by using their Login ID instead of Principal ID:
Say I create a user John Doe:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=John&last-name=Doe&login=jdoe&password=asdasdasd&has-children=false
If I try to create another user Robert Ford with the same USERNAME:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=Robert&last-name=Ford&login=jdoe&password=asdasdfff&has-children=false
No error will be shown, INSTEAD it will change John Doe's first name/last name to Robert's name! This is a huge serious bug.
It SHOULD ONLY UPDATE users WHEN A PRINCIPAL ID IS PASSED IN. In fact, in Adobe's own documentation...it states to use a Prinicpal ID to update the user.
So HOW exactly should I prevent this???? I cannot check if the login id exists before creating the user because that is not guaranteed.
Offline