Copy link to clipboard
Copied
I found a huge security/bug issue in the Adobe Connect API/Webservice method principal-update. I discovered that it is possible to update existing users just by using their Login ID instead of Principal ID:
Say I create a user John Doe:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=John&las...
If I try to create another user Robert Ford with the same USERNAME:
https://connectapisite/api/xml?action=principal-update&account-id=###&type=guest&first-name=Robert&l...
No error will be shown, INSTEAD it will change John Doe's first name/last name to Robert's name! This is a huge serious bug.
It SHOULD ONLY UPDATE users WHEN A PRINCIPAL ID IS PASSED IN. In fact, in Adobe's own documentation...it states to use a Prinicpal ID to update the user.
So HOW exactly should I prevent this???? I cannot check if the login id exists before creating the user because that is not guaranteed.
Copy link to clipboard
Copied
I strongly recommend that you post the bug here, Adobe - Feature Request/Bug Report Form, and then contact support at 800-945-9120. If you have a licensed deployment, reach out to the contact listed in your support agreement.