Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74487 - www-apps/phpgroupware: Multiple vulnerabilities
Summary: www-apps/phpgroupware: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.gulftech.org/?node=researc...
Whiteboard: B4 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-15 06:17 UTC by Luke Macken (RETIRED)
Modified: 2005-01-06 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-12-15 06:17:18 UTC
Multiple phpGroupWare Vulnerabilities
	
December 14th, 2004

Vendor 	: phpGroupWare
URL 	: http://www.phpgroupware.org
Version 	: phpGroupWare 0.9.16.003 And Earlier
Risk 	: Multiple Vulnerabilities



Description:
phpGroupWare (formerly known as webdistro) is a multi-user groupware suite written in PHP. It provides a Web-based calendar, todo-list, addressbook, email, news headlines, and a file manager. The calendar supports repeating events. The email system supports inline graphics and file attachments. The system as a whole supports user preferences, themes, user permissions, multi-language support, an advanced API, and user groups.


Full Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take place in more than one way. One example that will trigger the path disclosure is by appending junk (such as metacharacters) to the end of a session id. Below are two other examples

http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah

This will reveal the full physical path of the web directory, and could possibly aid a would be attacker. The other example of path disclosure can be triggered by specifying an invalid menu item.


Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare. Below are some examples.

[Wrapped For Readability]

index.php?kp3=99884d8a63791f406585913d74476b11%22%3E%3Ciframe%3E
/index.php?menuaction=forum.uiforum.post&type=new%22%3E%3Ciframe%3E
/index.php?menuaction=forum.uiforum.read&msg=202%22%3E%3Ciframe%3E
/index.php?menuaction=forum.uiforum.read&forum_id=3%22%3E%3Ciframe%3E&msg=202
/index.php?menuaction=forum.uiforum.read&msg=42&pos=10%22%3E%3Ciframe%3E
/index.php?menuaction=preferences.uicategories.index&cats_app=%22%3E%3Ciframe%3E
/index.php?menuaction=preferences.uicategories.edit&cats_app=notes&extra=&global_
cats=True&cats_level=True&cat_parent=188&cat_id=188%22%3E%3Ciframe%3E
/index.php?menuaction=email.uimessage.message&msgball[msgnum]=1%22%3E%3Ciframe%3E
&msgball[folder]=INBOX.hello&msgball[acctnum]=0&sort=1&order=1&start=0
/index.php?menuaction=email.uicompose.compose&fldball[folder]=INBOX.hello&fldball
[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sort=1&order=1&start=0
/tts/viewticket_details.php?ticket_id=338%22%3E%3Ciframe%3E
These Cross Site Scripting issues could allow an attacker to possibly gather sensitive information from a victim, and execute arbitrary client side code in the context of the victim's browser.


SQL Injection Vulnerabilities:
phpGrouWare has several SQL Injection holes. Some are not bad, some are a bit unorthadox, and a few are dangerous. One example of a kinda unorthadox SQL Injection is in the Trouble Ticket system. If an attacker requests a url like this:

http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]

nothing will happen, but as soon as you save the ticket you are allowed to influence a SELECT query which could be very bad. Some more examples of the not so dangerous SQL Injection issues are:

/index.php?menuaction=todo.ui.show_list&order=[SQL_QUERY]
/index.php?menuaction=projects.uiprojects.list_projects&order=[SQL_QUERY]

It should be noted that other parts of this query can be tampered with also, such as the sort fields etc. Now for some examples of the more dangerous issues that let you influence the query right in the middle of a SELECT statement.
PATH = /index.php?menuaction=projects
PATH.uiprojects.edit_project&pro_main=31&action=subs&project_id=32[SQL_QUERY]
PATH.uiprojects.edit_project&pro_main=31[SQL_QUERY]&action=subs&project_id=32
PATH.uiprojects.view_project&pro_main=31&action=subs&project_id=32[SQL_QUERY]
PATH.uiprojects.view_project&pro_main=31[SQL_QUERY]&action=subs&project_id=32
PATH.uiprojecthours.view_hours&project_id=32&pro_parent=&action=subs&hours_id=26[SQL_QUERY]

These particular examples of SQL Injection in phpGroupWare should be fairly easily to exploit, however I will not be releasing any POC examples due to time constraints.


Note About The Examples:
All of the example url's had the session id, click history, and kp3 variables removed except where they were part of one of the examples. I also wrapped and removed parts of URLS for readability because they were so long, but it should still be obvious. if it isn't then let me know and I will post unedited examples in the GulfTech forums


Solution:
I was able to speak to one of the lead developers via IRC on September 25th, 2004. I made the developer aware of the vulnerabilities, and held off on publishing my findings for a couple of months. I have not been able to get in touch with any developers for some weeks now, so I publish my finding in hopes that the community will present a fix :)


Credits:
James Bercegay of the GulfTech Security Research Team
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-15 06:26:41 UTC
No release upstream regarding this issue yet.  Cc'ing web-apps.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-12-23 11:43:29 UTC
0.9.16.004 is out.

web-apps, please bump.
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2005-01-01 17:49:14 UTC
ebuild is now in cvs
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-01 23:41:38 UTC
Thx Martin.

Arches please test and mark stable.
Comment 5 Simon Stelling (RETIRED) gentoo-dev 2005-01-05 08:27:45 UTC
amd64 done
Comment 6 Lars Weiler (RETIRED) gentoo-dev 2005-01-05 16:27:01 UTC
ppc stable
Comment 7 Luke Macken (RETIRED) gentoo-dev 2005-01-05 17:01:53 UTC
Security, please vote on GLSA.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-05 22:28:00 UTC
Path information disclosure, XSS issues and SQL injection. I vote for a GLSA on this one.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-06 00:51:30 UTC
Yes I vote for GLSA too.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2005-01-06 15:23:22 UTC
GLSA 200501-08