Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 89517 - www-apps/eGroupWare: XSS and SQL injection
Summary: www-apps/eGroupWare: XSS and SQL injection
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14982/
Whiteboard: B4 [glsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-18 05:46 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-04-25 09:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-18 05:46:44 UTC
Description:
Some vulnerabilities with unknown impacts have been reported in eGroupWare.

No more information is currently available.

Solution:
Update to version 1.0.0.007.
http://www.egroupware.org/downloads
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2005-04-18 05:54:08 UTC
from the website (http://www.egroupware.org):

News 15. Apr. 2005: new Security- + bugfix-release 1.0.0.007 (download-page)

This release contains fixes for the security problems reported by James from GulfTech Security Research. We recommend everyone to update to this release asap.
It also includes lots of bugfixes in nearly all applications and new / enhanced translations.

___

web-apps, pls bump
Comment 2 Aaron Walker (RETIRED) gentoo-dev 2005-04-20 10:31:13 UTC
In cvs.  CC'd archs please mark stable (beware there's ~5000 files thus webapp-config takes ages).
Comment 3 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-20 12:00:17 UTC
Stable on ppc.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2005-04-20 13:01:39 UTC
XSS and SQL injection according to updated secunia advisory (rated B4)
Gulftech advisory is supposed to be available at http://www.gulftech.org/?node=research&article_id=00069-04202005 but only gives an error atm.
Comment 5 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-04-20 16:18:31 UTC
amd64 done.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-21 06:16:12 UTC
##########################################################
# GulfTech Security Research             April 20th, 2005
##########################################################
# Vendor  : eGroupware
# URL     : http://www.egroupware.org/
# Version : Versions Prior To 1.0.0.007
# Risk    : Multiple Vulnerabilities
##########################################################

Description:
eGroupware is a very popular open source web based collaboration software that can be used within an intranet, or externally via  the internet to build a community and/or help coordinate large projects. eGroupware also comes pre packaged in some linux distributions. GulfTech Security Research has found a few high risk SQL Injection vulnerabilities as well as Cross Site Scripting vulnerabilities. A new version of eGroupware is now available and all eGroupware users should upgrade immediately. Not only does the new eGroupware release address these security issues, but it also includes a number of important bugfixes!

Cross Site Scripting:
Cross site scripting exists in eGroupware. This vulnerability exists due to user supplied input not being checked properly. Below are examples that can be used for reference.

http://egroupware/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=11[XSS]
http://egroupware/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook[XSS]
http://egroupware/index.php?menuaction=forum.uiforum.post&type=new[XSS]
http://egroupware/wiki/index.php?page=RecentChanges[XSS]
http://egroupware/wiki/index.php?action=history&page=WikkiTikkiTavi&lang=en[XSS]
http://egroupware/index.php?menuaction=wiki.uiwiki.edit&page=setup[XSS]
http://egroupware/sitemgr/sitemgr-site/?category_id=4[XSS]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.

SQL Injection:
There are a number of SQL Injection vulnerabilities in eGroupware. These issues can be used by an attacker to retrieve sensitive information from the underlying database and aid in further attacks. Examples below

http://egroupware/tts/index.php?filter=u99[SQL]
http://egroupware/tts/index.php?filter=c99[SQL]
http://egroupware/index.php?menuaction=preferences.uicategories.index&cats_app=foobar[SQL]

We will not be releasing any exploited code as requested by the developers but these issues are not hard to exploit and all users should upgrade immediately.

Solution:
eGroupware 1.0.0.007 has been released to address these issues, and users can finfd the updated packages at the following location.

http://sourceforge.net/project/showfiles.php?group_id=78745

Special thanks to Mr Ralf Becker and the rest of the eGroupware team for addressing these issues fairly quickly despite the recent constitution and admin elections etc.

Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00069-04202005

Credits:
James Bercegay of the GulfTech Security Research Team
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-22 02:48:55 UTC
Alpha stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-22 02:52:45 UTC
Security vote on GLSA need
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-23 01:19:51 UTC
I vote yes
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-23 02:16:38 UTC
I vote yes as well.
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-04-25 09:34:16 UTC
GLSA 200504-24