Multiple Cross Site Scripting Vulnerabilities in eGroupWare
---------------------------------------------------------------------------
Multiple Cross Site Scripting Vulnerabilities
in eGroupWare
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eGroupWare Version 1.0.0.003
eGroupWare is a multi-user, web-based
groupware suite developed on a custom
set of PHP-based APIs. Currently available
modules include: email, addressbook,are so
equals.
calendar, infolog (notes, to-do's, phone calls),
content management, forum,
bookmarks, wiki
Web: http://www.egroupware.org
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Multiple Cross Site Scripting Vulnerabilities
I will no explicate certain bugs continuosly
because all the XSS vulnerabilities
are equals.
A1. In the calendar module the parameter "date"
is vulnerable to an XSS
vulnerability. The error is due to an incorrect
sanitization of the "date"
parameter. To try the vulnerability :
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)</script
A2. In the calendar module you have an option to
search any text. The module
doesn't makes any sanitization of the user
pased string. If you insert the
following text you will see the vulnerability :
"><script>alert(document.cookie)</script>
A3. In the Address book module eGroupWare
has the same problem. To try the
vulnerability Click on Address Book (at the top of
the web page) and in
the search field insert the following text, in a new
example :
"><h1>That's fun!</h1>
These are the parameters that are vulnerables :
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index :
Field parameter
Filter parameter
QField parameter
Start parameter
A4. The option to search between projects is
also vulnerable. Try this :
1.- Go to
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects
2.- Insert "><h1>this is new, and other XSS
vulnerability...</h1>
A5. In the messenger modules (when
composing a new message) "Subject"
field allows potentially dangerous HTML, such
as, in other new example :
">hi<img src="http://localhost/anyimage"
onload="javascript:alert(document.cookie)">
A6. In the Ticket module when making the same
action (creating a new element)
the same field (Subject) is also vulnerable.
The fix:
~~~~~~~~
Vendor is not yet contacted or I have no
response
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es