Bugs: Permissions in the Files Tool
Thanks to Kevin Reeuwijk at Getronics for discovering a vulnerability in the Groove Files tool.
He describes the problem here: https://www.buit.org/2007/02/09/security-loophole-found-in-groove-2007-files-tool/
Essentially, there is a bug which enables a user with default "participant" permissions in a workspace to overwrite a file in that workspace, even if they are not the owner of that file. Once they have overwritten the file, they become the owner of the file, and can now delete it. The expectation is that Participants can not delete other peoples files in the workspace. While there is a workaround, this is not working as designed!
There are several mitigating factors, and a workaround, that you should be aware of:
- This is an attack that can only happen from within the workspace -- not from the outside.
- Note also that with the default "modify" permissions, the user can already delete the contents of the document and save it back into Groove. In some ways, deleting the file may be perceived as just a small step further, except deleting the file doesn’t leave a visible trai in the UI, modifying the contents does.
- As a workaround, you can protect against this vulnerability by removing the Modify Files permission for participants in a workspace (right click on the tool, choose properties, and change the permissions).Thanks again to Kevin for reporting this bug.
I don't have an ETA for a fix, but other than that, let me know if you have any additional questions about this!
Link to this Article:
https://blogs.technet.com/groove/archive/2007/02/14/permissions-in-the-files-tool.aspx