61510 2004-08-24 07:00 0000 www-apps/egroupware: Security update request: 1.0.0.004 fixes security problem 2004-09-02 13:53:42 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All Linux RESOLVED FIXED http://www.egroupware.org/ B3 [glsa] P2 normal --- 1 scy-bugs-gentoo@scytale.name security@gentoo.org vorlon@gentoo.org web-apps@gentoo.org scy-bugs-gentoo@scytale.name 2004-08-24 07:00:39 0000 As told on www.egroupware.org, version 1.0.0.003 contains some security problems which are fixed in 1.0.0.004 (already out and downloadable). The ebuild should be updated and a GLSA should be published. Reproducible: Always Steps to Reproduce: vorlon@gentoo.org 2004-08-24 07:17:01 0000 Seems to refer to this posting on bugtraq: http://www.securityfocus.com/archive/1/372603/2004-08-21/2004-08-27/0 --------------------------------------------------------------------------- Multiple Cross Site Scripting Vulnerabilities in eGroupWare --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eGroupWare Version 1.0.0.003 eGroupWare is a multi-user, web-based groupware suite developed on a custom set of PHP-based APIs. Currently available modules include: email, addressbook,are so equals. calendar, infolog (notes, to-do's, phone calls), content management, forum, bookmarks, wiki Web: http://www.egroupware.org --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities I will no explicate certain bugs continuosly because all the XSS vulnerabilities are equals. A1. In the calendar module the parameter "date" is vulnerable to an XSS vulnerability. The error is due to an incorrect sanitization of the "date" parameter. To try the vulnerability : http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script A2. In the calendar module you have an option to search any text. The module doesn't makes any sanitization of the user pased string. If you insert the following text you will see the vulnerability : ">&lt;script&gt;alert(document.cookie)&lt;/script&gt; A3. In the Address book module eGroupWare has the same problem. To try the vulnerability Click on Address Book (at the top of the web page) and in the search field insert the following text, in a new example : "><h1>That's fun!</h1> These are the parameters that are vulnerables : At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : Field parameter Filter parameter QField parameter Start parameter A4. The option to search between projects is also vulnerable. Try this : 1.- Go to http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 2.- Insert "><h1>this is new, and other XSS vulnerability...</h1> A5. In the messenger modules (when composing a new message) "Subject" field allows potentially dangerous HTML, such as, in other new example : ">hi<img src="http://localhost/anyimage" onload="javascript:alert(document.cookie)"> A6. In the Ticket module when making the same action (creating a new element) the same field (Subject) is also vulnerable. The fix: ~~~~~~~~ Vendor is not yet contacted or I have no response --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es jaervosz@gentoo.org 2004-08-24 12:23:32 0000 web-apps please bump to 1.0.0.004 gurligebis@gentoo.org 2004-08-24 15:54:56 0000 Just rename the ebuild and build a digest. Submitting new ebuild in a sec. gurligebis@gentoo.org 2004-08-24 15:57:06 0000 Created an attachment (id=38123) egroupware-1.0.00.004.ebuild ebuild rl03@gentoo.org 2004-08-25 01:35:45 0000 In CVS jaervosz@gentoo.org 2004-08-25 01:44:34 0000 alpha and amd64 please mark stable kloeri@gentoo.org 2004-08-25 14:30:10 0000 Stable on alpha. jaervosz@gentoo.org 2004-08-31 14:19:35 0000 ***bump*** amd64 please mark stable ***bump*** lv@gentoo.org 2004-09-01 09:27:53 0000 stable on amd64 jaervosz@gentoo.org 2004-09-01 09:39:09 0000 Security this one is ready for GLSA, please draft. Upgrading to B3 as it is a XSS. lewk@gentoo.org 2004-09-01 13:37:59 0000 GLSA drafted. lewk@gentoo.org 2004-09-02 05:46:48 0000 The security update 1.0.00.004 break the functionality from the Email application. 1.0.00.004-2 has been released to fix this problem. web-apps please bump to 1.0.00.004-2 koon@gentoo.org 2004-09-02 05:48:04 0000 Back to ebuild status koon@gentoo.org 2004-09-02 05:49:42 0000 Apparently our 1.0.00.004 ebuild already uses that -2 subversion, so we're OK. Back to GLSA. jaervosz@gentoo.org 2004-09-02 13:53:42 0000 GLSA 200409-06 38123 2004-08-24 15:57 0000 egroupware-1.0.00.004.ebuild egroupware-1.0.00.004.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA0IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L3d3dy1hcHBzL2Vncm91cHdhcmUvZWdyb3Vwd2Fy ZS0xLjAuMDAuMDAzLmVidWlsZCx2IDEuMSAyMDA0LzA4LzE5IDEzOjEzOjI0IHJsMDMgRXhwICQK CmluaGVyaXQgd2ViYXBwCgpNWV9QPWVHcm91cFdhcmUtJHtQVn0tMgpTPSR7V09SS0RJUn0vJHtQ Tn0KCkRFU0NSSVBUSU9OPSJXZWItYmFzZWQgR3JvdXBXYXJlIHN1aXRlLiBJdCBjb250YWlucyBt YW55IG1vZHVsZXMiCkhPTUVQQUdFPSJodHRwOi8vd3d3LmVHcm91cFdhcmUub3JnLyIKU1JDX1VS ST0ibWlycm9yOi8vc291cmNlZm9yZ2UvJHtQTn0vJHtNWV9QfS50YXIuYnoyIgoKTElDRU5TRT0i R1BMLTIiCktFWVdPUkRTPSJ+eDg2IH5wcGMgfmFscGhhIH5hbWQ2NCB+c3BhcmMgfmhwcGEiCklV U0U9ImxkYXAiCgpERVBFTkQ9IiRERVBFTkQiClJERVBFTkQ9InZpcnR1YWwvcGhwCgl8fCAoID49 ZGV2LWRiL215c3FsLTMuMjMgPj1kZXYtZGIvcG9zdGdyZXNxbC03LjIgKQoJbGRhcD8gKCBuZXQt bmRzL29wZW5sZGFwICkKCW5ldC13d3cvYXBhY2hlIgoKcGtnX3NldHVwICgpIHsKCXdlYmFwcF9w a2dfc2V0dXAKCWVpbmZvICJQbGVhc2UgbWFrZSBzdXJlIHRoYXQgeW91ciBQSFAgaXMgY29tcGls ZWQgd2l0aCBMREFQIChpZiB1c2luZyBvcGVubGRhcCksIElNQVAsIGFuZCBNeVNRTHxQb3N0Z3Jl U1FMIHN1cHBvcnQiCgllaW5mbwoJZWluZm8gIkNvbnNpZGVyIGluc3RhbGxpbmcgYW4gTVRBIGlm IHlvdSB3YW50IHRvIHRha2UgYWR2YW50YWdlIG9mIGVHVydzIG1haWwgY2FwYWJpbGl0aWVzLiIK CXNsZWVwIDcKfQoKcGtnX2NvbXBpbGUoKSB7Cgk6Owp9CgpzcmNfaW5zdGFsbCgpIHsKCXdlYmFw cF9zcmNfcHJlaW5zdAoJY2QgJHtTfQoJIyByZW1vdmUgQ1ZTIGRpcmVjdG9yaWVzCglmaW5kIC4g LXR5cGUgZCAtbmFtZSAnQ1ZTJyAtcHJpbnQgfCB4YXJncyBybSAtcmYKCWNwIC1yIC4gJHtEfS8k e01ZX0hURE9DU0RJUn0KCgl3ZWJhcHBfc2VydmVyb3duZWQgJHtNWV9IVERPQ1NESVJ9L2Z1ZGZv cnVtCgl3ZWJhcHBfc2VydmVyb3duZWQgJHtNWV9IVERPQ1NESVJ9L3BocGd3YXBpL2ltYWdlcwoK CSMgYWRkIHBvc3QtaW5zdGFsbGF0aW9uIGluc3RydWN0aW9ucwoJd2ViYXBwX3Bvc3RpbnN0X3R4 dCBlbiAke0ZJTEVTRElSfS9wb3N0aW5zdGFsbC1lbi50eHQKCgl3ZWJhcHBfc3JjX2luc3RhbGwK fQo=