Creating SharePoint List Item where I don’t have access on that List
I have already discussed SharePoint 2013/Office 365 security issue/bug on SharePoint Community discussion board before two days on below link:
Today, On Office 365 environment, I have created one workflow, using App step, which perform Item creation operation on the list on which user doesn't have permission.
I have two SharePoint Custom Lists
- Full Permission List (User Hemant has a full control)
- Unique Permission List (User Hemat does not have a rights)
Full Permission List, where user (Hemant) has full permission on that list as below.
Unique Permission List, where user (Hemant) doesnot have permission on that list as below, He cannot perform add/update/delete operations.
As an Ideal scenario, if I will try to add item to "Unique Permission List" then I have no rights in the "Unique Permission List". So I can not add item to "Unique Permission List".
But, I have a full rights to create item in "Full Permission List". I can also create workflow on the "Full Permission List".
So, now I will create workflow on "Full Permission List" and in Workflow I will add one "App Step" activity. "App Step" activity run under the elevated previlages.
Now using "App Step" activity I will create one list item in "Unique Permission List" shown as below.
As "App Step" activity runs under elevated privilages, It will also create an item in "Unique Permission List".
So, even I don't have a permission on "Unique Permission List" I have successfully created item in "Unique Permission List"
Let's check the Full Flow :
1> I (Hemant) will login and create item in "Full Permission List" shown as below.
2> Item will be added in "Full Permission List" shown as below. Simultaneously, It will also add an item in "Unique Permission List" in which I do not have a permission
3> Now, I will login in as different user who has permission on "Unique Permission List" to view newly added item using "App Step" shown as below.
So, we've created a workflow which will add data from "Full Permission List" to "Unique Permission List" with user "Hemant".
Ideal scenario : Data should be not added to "Unique Permission List" as Hemant do not have a permission on list
Actual Scenario: Data get added in "Unique Permission List" as we have used "App Step" activity in the workflow which runs under the elevated privileges.
So, can consider this scenario as a security loophole or bug of Microsoft SharePoint 2013/Office 365?
I have tested this scenario by just adding item in the list in which I do not have permission. You can find more updates from: http://ift.tt/1Pf1C3c
But, by following this trick even I can destroy the list item and even list as well.
Please provide your views!!
Thanks!!
by Hemant Patel via Everyone's Blog Posts - SharePoint Community
No comments:
Post a Comment