lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040822020227.891.qmail@www.securityfocus.com>
Date: 22 Aug 2004 02:02:27 -0000
From: Joxean Koret <joxeankoret@...oo.es>
To: bugtraq@...urityfocus.com
Subject: Multiple Cross Site Scripting Vulnerabilities in eGroupWare




--------------------------------------------------------------------------- 
         Multiple Cross Site Scripting Vulnerabilities 
in eGroupWare 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
eGroupWare Version 1.0.0.003 
 
eGroupWare is a multi-user, web-based 
groupware suite developed on a custom  
set of PHP-based APIs. Currently available 
modules include: email, addressbook,are so 
equals. 
calendar, infolog (notes, to-do's, phone calls), 
content management, forum,  
bookmarks, wiki 
 
Web: http://www.egroupware.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities 
 
I will no explicate certain bugs continuosly 
because all the XSS vulnerabilities  
are equals. 
 
A1. In the calendar module the parameter "date" 
is vulnerable to an XSS  
vulnerability. The error is due to an incorrect 
sanitization of the "date" 
parameter. To try the vulnerability :  
 
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script 
 
A2. In the calendar module you have an option to 
search any text. The module 
doesn't makes any sanitization of the user 
pased string. If you insert the  
following text you will see the vulnerability :  
 
	">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
A3. In the Address book module eGroupWare 
has the same problem. To try the 
vulnerability Click on Address Book (at the top of 
the web page) and in  
the search field insert the following text, in a new 
example :  
 
	"><h1>That's fun!</h1> 
 
These are the parameters that are vulnerables :  
 
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : 
 
	Field parameter  
	Filter parameter  
	QField parameter  
	Start parameter  
 
A4. The option to search between projects is 
also vulnerable. Try this :  
 
	1.- Go to 
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 
	2.- Insert "><h1>this is new, and other XSS 
vulnerability...</h1> 
 
A5. In the messenger modules (when 
composing a new message) "Subject"  
field allows potentially dangerous HTML, such 
as, in other new example :  
 
">hi<img src="http://localhost/anyimage" 
onload="javascript:alert(document.cookie)"> 
 
A6. In the Ticket module when making the same 
action (creating a new element) 
the same field (Subject) is also vulnerable.  
 
The fix: 
~~~~~~~~ 
 
Vendor is not yet contacted or I have no 
response 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 
 
 
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ