Summary: | www-apps/egroupware: Security update request: 1.0.0.004 fixes security problem | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Weber <scy-bugs-gentoo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | vorlon, web-apps | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.egroupware.org/ | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tim Weber
2004-08-24 07:00:39 UTC
Seems to refer to this posting on bugtraq: http://www.securityfocus.com/archive/1/372603/2004-08-21/2004-08-27/0 --------------------------------------------------------------------------- Multiple Cross Site Scripting Vulnerabilities in eGroupWare --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eGroupWare Version 1.0.0.003 eGroupWare is a multi-user, web-based groupware suite developed on a custom set of PHP-based APIs. Currently available modules include: email, addressbook,are so equals. calendar, infolog (notes, to-do's, phone calls), content management, forum, bookmarks, wiki Web: http://www.egroupware.org --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities I will no explicate certain bugs continuosly because all the XSS vulnerabilities are equals. A1. In the calendar module the parameter "date" is vulnerable to an XSS vulnerability. The error is due to an incorrect sanitization of the "date" parameter. To try the vulnerability : http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)</script A2. In the calendar module you have an option to search any text. The module doesn't makes any sanitization of the user pased string. If you insert the following text you will see the vulnerability : "><script>alert(document.cookie)</script> A3. In the Address book module eGroupWare has the same problem. To try the vulnerability Click on Address Book (at the top of the web page) and in the search field insert the following text, in a new example : "><h1>That's fun!</h1> These are the parameters that are vulnerables : At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : Field parameter Filter parameter QField parameter Start parameter A4. The option to search between projects is also vulnerable. Try this : 1.- Go to http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 2.- Insert "><h1>this is new, and other XSS vulnerability...</h1> A5. In the messenger modules (when composing a new message) "Subject" field allows potentially dangerous HTML, such as, in other new example : ">hi<img src="http://localhost/anyimage" onload="javascript:alert(document.cookie)"> A6. In the Ticket module when making the same action (creating a new element) the same field (Subject) is also vulnerable. The fix: ~~~~~~~~ Vendor is not yet contacted or I have no response --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es web-apps please bump to 1.0.0.004 Just rename the ebuild and build a digest. Submitting new ebuild in a sec. Created attachment 38123 [details]
egroupware-1.0.00.004.ebuild
ebuild
In CVS alpha and amd64 please mark stable Stable on alpha. ***bump*** amd64 please mark stable ***bump*** stable on amd64 Security this one is ready for GLSA, please draft. Upgrading to B3 as it is a XSS. GLSA drafted. The security update 1.0.00.004 break the functionality from the Email application. 1.0.00.004-2 has been released to fix this problem. web-apps please bump to 1.0.00.004-2 Back to ebuild status Apparently our 1.0.00.004 ebuild already uses that -2 subversion, so we're OK. Back to GLSA. GLSA 200409-06 |