• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Adobe Connect API/Webservices - Serious bug - Security issue

Community Beginner ,
Jun 05, 2014 Jun 05, 2014

Copy link to clipboard

Copied

I found a huge security/bug issue in the Adobe Connect API/Webservice method  principal-update. I discovered that it is possible to update existing users just by using their Login ID instead of Principal ID:

Say I create a user John Doe:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=John&las...

If I try to create another user Robert Ford with the same USERNAME:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=Robert&l...

No error will be shown, INSTEAD it will change John Doe's first name/last name to Robert's name! This is a huge serious bug.

It SHOULD ONLY UPDATE users WHEN A PRINCIPAL ID IS PASSED IN. In fact, in Adobe's own documentation...it states to use a Prinicpal ID to update the user.

So HOW exactly should I prevent this???? I cannot check if the login id exists before creating the user because that is not guaranteed.

Views

296

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 05, 2014 Jun 05, 2014

Copy link to clipboard

Copied

LATEST

I strongly recommend that you post the bug here, Adobe - Feature Request/Bug Report Form, and then contact support at 800-945-9120. If you have a licensed deployment, reach out to the contact listed in your support agreement.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines