Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
As told on www.egroupware.org, version 1.0.0.003 contains some security problems which are fixed in 1.0.0.004 (already out and downloadable). The ebuild should be updated and a GLSA should be published. Reproducible: Always Steps to Reproduce:
Seems to refer to this posting on bugtraq: http://www.securityfocus.com/archive/1/372603/2004-08-21/2004-08-27/0 --------------------------------------------------------------------------- Multiple Cross Site Scripting Vulnerabilities in eGroupWare --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eGroupWare Version 1.0.0.003 eGroupWare is a multi-user, web-based groupware suite developed on a custom set of PHP-based APIs. Currently available modules include: email, addressbook,are so equals. calendar, infolog (notes, to-do's, phone calls), content management, forum, bookmarks, wiki Web: http://www.egroupware.org --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities I will no explicate certain bugs continuosly because all the XSS vulnerabilities are equals. A1. In the calendar module the parameter "date" is vulnerable to an XSS vulnerability. The error is due to an incorrect sanitization of the "date" parameter. To try the vulnerability : http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)</script A2. In the calendar module you have an option to search any text. The module doesn't makes any sanitization of the user pased string. If you insert the following text you will see the vulnerability : "><script>alert(document.cookie)</script> A3. In the Address book module eGroupWare has the same problem. To try the vulnerability Click on Address Book (at the top of the web page) and in the search field insert the following text, in a new example : "><h1>That's fun!</h1> These are the parameters that are vulnerables : At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : Field parameter Filter parameter QField parameter Start parameter A4. The option to search between projects is also vulnerable. Try this : 1.- Go to http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 2.- Insert "><h1>this is new, and other XSS vulnerability...</h1> A5. In the messenger modules (when composing a new message) "Subject" field allows potentially dangerous HTML, such as, in other new example : ">hi<img src="http://localhost/anyimage" onload="javascript:alert(document.cookie)"> A6. In the Ticket module when making the same action (creating a new element) the same field (Subject) is also vulnerable. The fix: ~~~~~~~~ Vendor is not yet contacted or I have no response --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
web-apps please bump to 1.0.0.004
Just rename the ebuild and build a digest. Submitting new ebuild in a sec.
Created an attachment (id=38123) [details] egroupware-1.0.00.004.ebuild ebuild
In CVS
alpha and amd64 please mark stable
Stable on alpha.
***bump*** amd64 please mark stable ***bump***
stable on amd64
Security this one is ready for GLSA, please draft. Upgrading to B3 as it is a XSS.
GLSA drafted.
The security update 1.0.00.004 break the functionality from the Email application. 1.0.00.004-2 has been released to fix this problem. web-apps please bump to 1.0.00.004-2
Back to ebuild status
Apparently our 1.0.00.004 ebuild already uses that -2 subversion, so we're OK. Back to GLSA.
GLSA 200409-06
