High severity8.1NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026
CVE-2017-15055
CVE-2017-15055
Description
TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the "item_id" parameter when invoking "copy_item" on items.queries.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nilsteampassnet/teampassPackagist | < 2.1.27.9 | 2.1.27.9 |
Affected products
1Patches
15 files changed · +244 −109
index.php+3 −1 modified@@ -177,7 +177,9 @@ // Load user languages files if (in_array($session_user_language, $languagesList) === true) { - require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$session_user_language.'.php'; + if (file_exists($SETTINGS['cpassman_dir'].'/includes/language/'.$session_user_language.'.php') === true) { + require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$session_user_language.'.php'; + } } else { $_SESSION['error']['code'] = ERR_NOT_ALLOWED; //not allowed page include $SETTINGS['cpassman_dir'].'/error.php';
items.load.php+52 −35 modified@@ -290,7 +290,9 @@ function(data) { } // store the categories to be displayed - $("#display_categories").val(data.displayCategories); + if (data.displayCategories !== undefined) { + $("#display_categories").val(data.displayCategories); + } // store type of access on folder $("#access_level").val(data.access_level); @@ -350,7 +352,7 @@ function(data) { $("#query_next_start").val(data.list_to_be_continued); // display Categories if needed - if ($(".tr_fields") != undefined && data.displayCategories != "") { + if ($(".tr_fields") !== undefined && data.displayCategories !== undefined && data.displayCategories !== "") { var liste = data.displayCategories.split(';'); for (var i=0; i<liste.length; i++) { $(".itemCatName_"+liste[i]+", #newItemCatName_"+liste[i]+", #editItemCatName_"+liste[i]).show(); @@ -382,7 +384,7 @@ function(data) { $("#query_next_start").val(data.list_to_be_continued); // display Categories if needed - if ($(".tr_fields") != undefined && data.displayCategories != "") { + if ($(".tr_fields") != undefined && data.displayCategories !== undefined && data.displayCategories != "") { var liste = data.displayCategories.split(';'); for (var i=0; i<liste.length; i++) { $(".itemCatName_"+liste[i]+", #newItemCatName_"+liste[i]+", #editItemCatName_"+liste[i]).show(); @@ -420,10 +422,10 @@ function(data) { $.post( "sources/items.queries.php", { - type : "move_item", - item_id : ui.draggable.attr("id"), + type : "move_item", + item_id : ui.draggable.attr("id"), folder_id : $(this).attr("id").substring(4), - key : "<?php echo $_SESSION['key']; ?>" + key : "<?php echo $_SESSION['key']; ?>" }, function(data) { //increment / decrement number of items in folders @@ -926,34 +928,40 @@ function(data) { } //check if format error - if (data.error == "ERR_JSON_FORMAT") { + if (data.error === "ERR_JSON_FORMAT") { $("#div_loading").addClass("hidden"); - $("#edit_show_error").html(data.error + ' ERROR (JSON is broken)!!!!!'); - $("#edit_show_error").show(); - } else if (data.error == "ERR_KEY_NOT_CORRECT") { + $("#edit_show_error") + .html(data.error + ' ERROR (JSON is broken)!!!!!') + .show(); + } else if (data.error === "ERR_KEY_NOT_CORRECT") { $("#div_loading").addClass("hidden"); - $("#edit_show_error").html('Key verification for Query is not correct!'); - $("#edit_show_error").show(); + $("#edit_show_error") + .html('Key verification for Query is not correct!') + .show(); LoadingPage(); - }else if (data.error == "ERR_ENCRYPTION_NOT_CORRECT") { + }else if (data.error === "ERR_ENCRYPTION_NOT_CORRECT") { $("#div_loading").addClass("hidden"); - $("#edit_show_error").html('Item password could not be correctly encrypted!'); - $("#edit_show_error").show(); + $("#edit_show_error") + .html('Item password could not be correctly encrypted!') + .show(); LoadingPage(); - } else if (data.error == "ERR_PWD_TOO_LONG") { + } else if (data.error === "ERR_PWD_TOO_LONG") { $("#div_loading").addClass("hidden"); - $("#edit_show_error").html('<?php echo addslashes($LANG['error_pw_too_long']); ?>'); - $("#edit_show_error").show(); + $("#edit_show_error") + .html('<?php echo addslashes($LANG['error_pw_too_long']); ?>') + .show(); LoadingPage(); - } else if (data.error == "ERR_NOT_ALLOWED_TO_EDIT") { + } else if (data.error === "ERR_NOT_ALLOWED_TO_EDIT") { $("#div_formulaire_saisi").dialog("open"); - $("#new_show_error").html('User not allowed to edit this Item!'); - $("#new_show_error").show(); + $("#new_show_error") + .html('User not allowed to edit this Item!') + .show(); LoadingPage(); - } else if (data.error != "") { + } else if (data.error !== "") { $("#div_loading").addClass("hidden"); - $("#edit_show_error").html('<?php echo addslashes($LANG['error_not_allowed_to']); ?>'); - $("#edit_show_error").show(); + $("#edit_show_error") + .html('<?php echo addslashes($LANG['error_not_allowed_to']); ?>') + .show(); LoadingPage(); } else { //refresh item in list @@ -1268,19 +1276,23 @@ function AfficherDetailsItem(id, salt_key_required, expired_item, restricted, di return; } else { $("#timestamp_item_displayed").val(""); + var data = { + "id" : id, + "folder_id" : $('#hid_cat').val(), + "salt_key_required" : $('#recherche_group_pf').val(), + "salt_key_set" : $('#personal_sk_set').val(), + "expired_item" : expired_item, + "restricted" : restricted, + "page" : "items" + }; + //Send query $.post( "sources/items.queries.php", { - type : 'show_details_item', - id : id, - folder_id : $('#hid_cat').val(), - salt_key_required : $('#recherche_group_pf').val(), - salt_key_set : $('#personal_sk_set').val(), - expired_item : expired_item, - restricted : restricted, - page : "items", - key : "<?php echo $_SESSION['key']; ?>" + type : 'show_details_item', + data : prepareExchangedData(JSON.stringify(data), "encode", "<?php echo $_SESSION['key']; ?>"), + key : "<?php echo $_SESSION['key']; ?>" }, function(data_raw) { //decrypt data @@ -1589,7 +1601,7 @@ function(data_raw) { // continue loading data showDetailsStep2(id, param); - } else if (data.show_details == "1" && data.show_detail_option == "2") { + } else if (data.show_details === "1" && data.show_detail_option === "2") { $("#item_details_nok").addClass("hidden"); $("#item_details_ok").addClass("hidden"); $("#item_details_expired_full").show(); @@ -1658,6 +1670,11 @@ function(data) { return; } + if (data.error !== "") { + $("#div_dialog_message_text").html(data.error_text); + $("#div_dialog_message").show(); + } + $("#item_history_log").html(htmlspecialchars_decode(data.history)); $("#edit_past_pwds").attr('title', htmlspecialchars_decode(data.history_of_pwds)); $("#edit_past_pwds_div").html(htmlspecialchars_decode(data.history_of_pwds)); @@ -2601,7 +2618,7 @@ function(data) { $.post( "sources/items.queries.php", { - type : "update_rep", + type : "update_folder", data : prepareExchangedData(JSON.stringify(data), "encode", "<?php echo $_SESSION['key']; ?>"), key : "<?php echo $_SESSION['key']; ?>" },
sources/core.php+3 −1 modified@@ -71,7 +71,9 @@ function redirect($url) if (isset($SETTINGS_EXT['pwComplexity']) === false) { // Pw complexity levels if (isset($_SESSION['user_language']) === true && $_SESSION['user_language'] !== "0") { - require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$_SESSION['user_language'].'.php'; + if (file_exists($SETTINGS['cpassman_dir'].'/includes/language/'.$_SESSION['user_language'].'.php') === true) { + require_once $SETTINGS['cpassman_dir'].'/includes/language/'.$_SESSION['user_language'].'.php'; + } $SETTINGS_EXT['pwComplexity'] = array( 0=>array(0, $LANG['complex_level0']), 25=>array(25, $LANG['complex_level1']),
sources/items.queries.php+162 −71 modified@@ -129,10 +129,10 @@ ); // Prepare variables - $label = noHTML(htmlspecialchars_decode($dataReceived['label'])); - $url = htmlspecialchars_decode($dataReceived['url']); + $label = filter_var(htmlspecialchars_decode($dataReceived['label']), FILTER_SANITIZE_STRING); + $url = filter_var(htmlspecialchars_decode($dataReceived['url']), FILTER_SANITIZE_STRING); $pw = htmlspecialchars_decode($dataReceived['pw']); - $login = htmlspecialchars_decode($dataReceived['login']); + $login = filter_var(htmlspecialchars_decode($dataReceived['login']), FILTER_SANITIZE_STRING); $tags = htmlspecialchars_decode($dataReceived['tags']); // is author authorized to create in this folder @@ -481,12 +481,12 @@ if (count($dataReceived) > 0) { // Prepare variables - $label = noHTML(($dataReceived['label'])); - $url = noHTML(htmlspecialchars_decode($dataReceived['url'])); + $label = filter_var(($dataReceived['label']), FILTER_SANITIZE_STRING); + $url = filter_var(htmlspecialchars_decode($dataReceived['url']), FILTER_SANITIZE_STRING); $pw = $original_pw = $sentPw = htmlspecialchars_decode($dataReceived['pw']); - $login = noHTML(htmlspecialchars_decode($dataReceived['login'])); + $login = filter_var(htmlspecialchars_decode($dataReceived['login']), FILTER_SANITIZE_STRING); $tags = htmlspecialchars_decode($dataReceived['tags']); - $email = noHTML(htmlspecialchars_decode($dataReceived['email'])); + $email = filter_var(htmlspecialchars_decode($dataReceived['email']), FILTER_SANITIZE_STRING); // perform a check in case of Read-Only user creating an item in his PF if ($_SESSION['user_read_only'] === true && (!in_array($dataReceived['categorie'], $_SESSION['personal_folders']) || $dataReceived['is_pf'] !== '1')) { @@ -533,10 +533,11 @@ && $restrictionActive === false ) || - (@in_array( - $post_id, - $_SESSION['list_folders_limited'][$post_folder_id] - )) + (null !== $post_folder_id + && isset($_SESSION['list_restricted_folders_for_items'][$post_folder_id]) + && in_array($post_id, $_SESSION['list_restricted_folders_for_items'][$post_folder_id]) + && $post_restricted === '1' + && $restrictionActive === false) ) { // Is pwd empty? if (empty($pw) && isset($_SESSION['user_settings']['create_item_without_password']) && $_SESSION['user_settings']['create_item_without_password'] !== '1') { @@ -1072,16 +1073,15 @@ && (!in_array($post_source_id, $_SESSION['personal_folders']) || !in_array($post_dest_id, $_SESSION['personal_folders'])) ) { - $returnValues = '[{"error" : "not_allowed"}, {"error_text" : "2'.addslashes($LANG['error_not_allowed_to']).'"}]'; + $returnValues = '[{"error" : "not_allowed"}, {"error_text" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; echo $returnValues; break; } $returnValues = $pw = ""; $is_perso = 0; - if (null !== $post_item_id - && empty($post_item_id) === false + if (empty($post_item_id) === false && empty($post_dest_id) === false ) { // load the original record into an array @@ -1090,6 +1090,15 @@ WHERE id=%i", $post_item_id ); + + // Check if the folder where this item is, is accessible to the user + if (in_array($originalRecord['id_tree'], $_SESSION['groupes_visibles'])) { + $returnValues = '[{"error" : "not_allowed"}, {"error_text" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; + echo $returnValues; + break; + } + + // Load the destination folder record into an array $dataDestination = DB::queryfirstrow( "SELECT personal_folder FROM ".prefix_table("nested_tree")." WHERE id=%i", @@ -1303,6 +1312,17 @@ break; } + // Decrypt and retreive data in JSON format + $dataReceived = prepareExchangedData($post_data, "decode"); + // Init post variables + $post_id = filter_var(htmlspecialchars_decode($dataReceived['id']), FILTER_SANITIZE_NUMBER_INT); + $post_folder_id = filter_var(htmlspecialchars_decode($dataReceived['folder_id']), FILTER_SANITIZE_NUMBER_INT); + $post_salt_key_required = filter_var(htmlspecialchars_decode($dataReceived['salt_key_required']), FILTER_SANITIZE_STRING); + $post_salt_key_set = filter_var(htmlspecialchars_decode($dataReceived['salt_key_set']), FILTER_SANITIZE_STRING); + $post_expired_item = filter_var(htmlspecialchars_decode($dataReceived['expired_item']), FILTER_SANITIZE_STRING); + $post_restricted = filter_var(htmlspecialchars_decode($dataReceived['restricted']), FILTER_SANITIZE_STRING); + $post_page = filter_var(htmlspecialchars_decode($dataReceived['page']), FILTER_SANITIZE_STRING); + $arrData = array(); // return ID $arrData['id'] = $post_id; @@ -1355,6 +1375,7 @@ $listNotif = array_filter(explode(";", $dataItem['notification'])); $listRest = array_filter(explode(";", $dataItem['restricted_to'])); $listeRestriction = $listNotification = $listNotificationEmails = ""; + $user_in_restricted_list_of_item = false; $rows = DB::query("SELECT id, login, email FROM ".prefix_table("users")); foreach ($rows as $record) { // Get auhtor @@ -1372,6 +1393,9 @@ // Get restriction list for users if (in_array($record['id'], $listRest)) { $listeRestriction .= $record['login'].";"; + if ($_SESSION['user_id'] === $record['id']) { + $user_in_restricted_list_of_item = true; + } } // Get notification list for users if (in_array($record['id'], $listNotif)) { @@ -1408,18 +1432,26 @@ if (empty($dataItem['restricted_to'])) { $restrictionActive = false; } + + // Check if user has a role that is accepted - $rows_tmp = DB::query("SELECT role_id FROM ".prefix_table("restriction_to_roles")." WHERE item_id=%i", $post_id); - $myTest = 0; - if (in_array($_SESSION['user_id'], $rows_tmp)) { - $myTest = 1; + $rows_tmp = DB::query( + "SELECT role_id + FROM ".prefix_table("restriction_to_roles")." + WHERE item_id=%i", + $post_id + ); + foreach ($rows_tmp as $rec_tmp) { + if (in_array($rec_tmp['role_id'], explode(';', $_SESSION['fonction_id']))) { + $restrictionActive = false; + } } // Uncrypt PW - if (null !== filter_input(INPUT_POST, 'salt_key_required', FILTER_SANITIZE_STRING) - && filter_input(INPUT_POST, 'salt_key_required', FILTER_SANITIZE_STRING) === '1' - && null !== filter_input(INPUT_POST, 'salt_key_set', FILTER_SANITIZE_STRING) - && filter_input(INPUT_POST, 'salt_key_set', FILTER_SANITIZE_STRING) === '1' + if (null !== $post_salt_key_required + && $post_salt_key_required === '1' + && null !== $post_salt_key_set + && $post_salt_key_set === '1' ) { $pw = cryption( $dataItem['pw'], @@ -1442,13 +1474,15 @@ } // check if item is expired - if (null !== filter_input(INPUT_POST, 'expired_item', FILTER_SANITIZE_STRING) - && filter_input(INPUT_POST, 'expired_item', FILTER_SANITIZE_STRING) === '1' + if (null !== $post_expired_item + && $post_expired_item === '1' ) { $item_is_expired = true; } else { $item_is_expired = false; } + + // check user is admin if ($_SESSION['user_admin'] === '1' && $dataItem['perso'] != 1 && (isset($SETTINGS_EXT['admin_full_right']) && $SETTINGS_EXT['admin_full_right'] === true) || !isset($SETTINGS_EXT['admin_full_right'])) { $arrData['show_details'] = 0; @@ -1459,8 +1493,14 @@ (isset($SETTINGS['anyone_can_modify']) && $SETTINGS['anyone_can_modify'] === '1' && $dataItem['anyone_can_modify'] === '1' && (in_array($dataItem['id_tree'], $_SESSION['groupes_visibles']) || $_SESSION['is_admin'] === '1') && $restrictionActive === false) || (null !== $post_folder_id - && isset($_SESSION['list_folders_limited'][$post_folder_id]) - && in_array($post_id, $_SESSION['list_folders_limited'][$post_folder_id])) + && isset($_SESSION['list_restricted_folders_for_items'][$post_folder_id]) + && in_array($post_id, $_SESSION['list_restricted_folders_for_items'][$post_folder_id]) + && $post_restricted === '1' + && $user_in_restricted_list_of_item === true) + || + (isset($SETTINGS['restricted_to_roles']) && $SETTINGS['restricted_to_roles'] === '1' + && $restrictionActive === false + ) ) { // Allow show details $arrData['show_details'] = 1; @@ -1626,8 +1666,8 @@ $arrData['categories'] = $arrCatList; // Manage user restriction - if (null !== filter_input(INPUT_POST, 'restricted', FILTER_SANITIZE_STRING)) { - $arrData['restricted'] = filter_input(INPUT_POST, 'restricted', FILTER_SANITIZE_STRING); + if (null !== $post_restricted) { + $arrData['restricted'] = $post_restricted; } else { $arrData['restricted'] = ""; } @@ -1724,6 +1764,13 @@ // get Item info $dataItem = DB::queryfirstrow("SELECT * FROM ".prefix_table("items")." WHERE id=%i", $post_id); + // Check if the folder where this item is, is accessible to the user + if (in_array($dataItem['id_tree'], $_SESSION['groupes_visibles'])) { + $returnValues = '[{"error" : "not_allowed"}, {"error_text" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; + echo prepareExchangedData($returnValues, "encode"); + break; + } + // GET Audit trail $history = ""; $historyOfPws = ""; @@ -1844,7 +1891,8 @@ "favourite" => $favourite, "files_edit" => $filesEdit, "files_id" => $files_id, - "has_change_proposal" => DB::count() + "has_change_proposal" => DB::count(), + "error" => "" ), "encode" ); @@ -1868,6 +1916,21 @@ break; } + // Check that user can access this item + $granted = accessToItemIsGranted($post_id); + if ($granted !== true) { + echo prepareExchangedData(array("error" => $granted), "encode"); + break; + } + + // Load item data + $data = DB::queryFirstRow( + "SELECT id_tree + FROM ".prefix_table("items")." + WHERE id = %i", + $post_id + ); + // delete item consists in disabling it DB::update( prefix_table("items"), @@ -1887,7 +1950,7 @@ * CASE * Update a Group */ - case "update_rep": + case "update_folder": // Check KEY and rights if ($post_key !== $_SESSION['key'] || $_SESSION['user_read_only'] === true) { $returnValues = '[{"error" : "not_allowed"}, {"error_text" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; @@ -1898,7 +1961,15 @@ $dataReceived = prepareExchangedData($post_data, "decode"); // Prepare variables - $title = htmlspecialchars_decode($dataReceived['title']); + $title = filter_var(htmlspecialchars_decode($dataReceived['title']), FILTER_SANITIZE_STRING); + $post_folder_id = filter_var(htmlspecialchars_decode($dataReceived['folder']), FILTER_SANITIZE_NUMBER_INT); + + // Check if user is allowed to access this folder + if (!in_array($post_folder_id, $_SESSION['groupes_visibles'])) { + echo '[{"error" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; + break; + } + // Check if title doesn't contains html codes if (preg_match_all("|<[^>]+>(.*)</[^>]+>|U", $title, $out)) { echo '[ { "error" : "'.addslashes($LANG['error_html_codes']).'" } ]'; @@ -1925,7 +1996,7 @@ "SELECT parent_id, personal_folder FROM ".prefix_table("nested_tree")." WHERE id = %i", - $dataReceived['folder'] + $post_folder_id ); // check if complexity level is good @@ -1956,7 +2027,7 @@ 'title' => $title ), 'id=%s', - $dataReceived['folder'] + $post_folder_id ); // update complixity value DB::update( @@ -1965,7 +2036,7 @@ 'valeur' => $dataReceived['complexity'] ), 'intitule = %s AND type = %s', - $dataReceived['folder'], + $post_folder_id, "complex" ); // rebuild fuild tree folder @@ -1988,23 +2059,34 @@ } // decrypt and retreive data in JSON format $dataReceived = prepareExchangedData($post_data, "decode"); + $post_source_folder_id = filter_var(htmlspecialchars_decode($dataReceived['source_folder_id']), FILTER_SANITIZE_NUMBER_INT); + $post_target_folder_id = filter_var(htmlspecialchars_decode($dataReceived['target_folder_id']), FILTER_SANITIZE_NUMBER_INT); + + // Check that user can access this folder + if (!in_array($post_source_folder_id, $_SESSION['groupes_visibles']) + || !in_array($post_target_folder_id, $_SESSION['groupes_visibles']) + ) { + $returnValues = '[{"error" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; + echo $returnValues; + break; + } $tmp_source = DB::queryFirstRow( "SELECT title, parent_id, personal_folder FROM ".prefix_table("nested_tree")." WHERE id = %i", - $dataReceived['source_folder_id'] + $post_source_folder_id ); $tmp_target = DB::queryFirstRow( "SELECT title, parent_id, personal_folder FROM ".prefix_table("nested_tree")." WHERE id = %i", - $dataReceived['target_folder_id'] + $post_target_folder_id ); // check if target is not a child of source - if ($tree->isChildOf($dataReceived['target_folder_id'], $dataReceived['source_folder_id']) === true) { + if ($tree->isChildOf($post_target_folder_id, $post_source_folder_id) === true) { $returnValues = '[{"error" : "'.addslashes($LANG['error_not_allowed_to']).'"}]'; echo $returnValues; break; @@ -2029,10 +2111,10 @@ DB::update( prefix_table("nested_tree"), array( - 'parent_id' => $dataReceived['target_folder_id'] + 'parent_id' => $post_target_folder_id ), 'id=%s', - $dataReceived['source_folder_id'] + $post_source_folder_id ); $tree->rebuild(); } @@ -2822,49 +2904,33 @@ echo prepareExchangedData($returnValues, "encode"); break; - /* - * CASE - * WANT TO CLIPBOARD PW/LOGIN OF ITEM - */ - case "get_clipboard_item": - $dataItem = DB::queryfirstrow( - "SELECT pw,login,perso FROM ".prefix_table("items")." WHERE id=%i", - $post_id - ); - - if (filter_input(INPUT_POST, 'field', FILTER_SANITIZE_STRING) === "pw") { - if ($dataItem['perso'] === '1') { - $data = cryption( - $dataItem['pw'], - $_SESSION['user_settings']['session_psk'], - "decrypt" - ); - } else { - $data = cryption( - $dataItem['pw'], - "", - "decrypt" - ); - } - } else { - $data = $dataItem['login']; - } - // Encrypt data to return - echo prepareExchangedData($data, "encode"); - break; - /* * CASE * DELETE attached file from an item */ case "delete_attached_file": // Get some info before deleting $data = DB::queryFirstRow( - "SELECT name,id_item,file + "SELECT name, id_item, file FROM ".prefix_table("files")." WHERE id = %i", filter_input(INPUT_POST, 'file_id', FILTER_SANITIZE_NUMBER_INT) ); + + // Load item data + $data_item = DB::queryFirstRow( + "SELECT id_tree + FROM ".prefix_table("items")." + WHERE id = %i", + $data['id_item'] + ); + + // Check that user can access this folder + if (!in_array($data_item['id_tree'], $_SESSION['groupes_visibles'])) { + echo prepareExchangedData(array("error" => "ERR_FOLDER_NOT_ALLOWED"), "encode"); + break; + } + if (!empty($data['id_item'])) { // Delete from FILES table DB::delete( @@ -3002,6 +3068,14 @@ $post_folder_id ); + // Check that user can access this folder + if (!in_array($dataSource['id_tree'], $_SESSION['groupes_visibles']) + || !in_array($post_folder_id, $_SESSION['groupes_visibles']) + ) { + echo '[{"error" => "ERR_FOLDER_NOT_ALLOWED"}]'; + break; + } + // previous is non personal folder and new too if ($dataSource['personal_folder'] === '0' && $dataDestination['personal_folder'] === '0') { // just update is needed. Item key is the same @@ -3108,6 +3182,15 @@ WHERE i.id=%i", $item_id ); + + // Check that user can access this folder + if (!in_array($dataSource['id_tree'], $_SESSION['groupes_visibles']) + || !in_array($post_folder_id, $_SESSION['groupes_visibles']) + ) { + echo '[{"error":"not_allowed" , "status":"ok"}]'; + break; + } + // get data about new folder $dataDestination = DB::queryfirstrow( "SELECT personal_folder, title FROM ".prefix_table("nested_tree")." WHERE id = %i", @@ -3227,6 +3310,14 @@ $item_id ); + // Check that user can access this folder + if (!in_array($dataSource['id_tree'], $_SESSION['groupes_visibles']) + || !in_array($post_folder_id, $_SESSION['groupes_visibles']) + ) { + echo prepareExchangedData(array("error" => "ERR_FOLDER_NOT_ALLOWED"), "encode"); + break; + } + // perform a check in case of Read-Only user creating an item in his PF if ($_SESSION['user_read_only'] === true) { echo prepareExchangedData(array("error" => "ERR_FOLDER_NOT_ALLOWED"), "encode");
sources/main.functions.php+24 −1 modified@@ -630,7 +630,7 @@ function identifyUserRights($groupesVisiblesUser, $groupesInterditsUser, $isAdmi } // get complete list of ROLES - $tmp = explode(";", $_SESSION['fonction_id']); + $tmp = explode(";", $idFonctions); $rows = DB::query( "SELECT * FROM ".prefix_table("roles_title")." ORDER BY title ASC" @@ -656,6 +656,7 @@ function identifyUserRights($groupesVisiblesUser, $groupesInterditsUser, $isAdmi $_SESSION['groupes_interdits'] = array(); $_SESSION['personal_visible_groups'] = array(); $_SESSION['read_only_folders'] = array(); + $_SESSION['fonction_id'] = $idFonctions; $groupesInterdits = array(); if (!is_array($groupesInterditsUser)) { $groupesInterditsUser = explode(';', trimElement($groupesInterditsUser, ";")); @@ -2110,3 +2111,25 @@ function chmodRecursive($dir, $dirPermissions, $filePermissions) return $res; } + +/** + * Check if user can access to this item + * @param $item_id + */ +function accessToItemIsGranted($item_id) +{ + // Load item data + $data = DB::queryFirstRow( + "SELECT id_tree + FROM ".prefix_table("items")." + WHERE id = %i", + $item_id + ); + + // Check if user can access this folder + if (!in_array($data['id'], $_SESSION['groupes_visibles'])) { + return "ERR_FOLDER_NOT_ALLOWED"; + } + + return true; +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/nilsteampassnet/TeamPass/commit/5f16f6bb132138ee04eb1e0debf2bdc7d7b7a15fnvdPatchWEB
- blog.amossys.fr/teampass-multiple-cve-01.htmlnvdExploitTechnical DescriptionThird Party AdvisoryWEB
- github.com/advisories/GHSA-7ghm-6p42-h226ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15055ghsaADVISORY
News mentions
0No linked articles in our index yet.