Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 61510 - www-apps/egroupware: Security update request: 1.0.0.004 fixes security problem
Summary: www-apps/egroupware: Security update request: 1.0.0.004 fixes security problem
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.egroupware.org/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-24 07:00 UTC by Tim Weber
Modified: 2011-10-30 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
egroupware-1.0.00.004.ebuild (egroupware-1.0.00.004.ebuild,1.28 KB, text/plain)
2004-08-24 15:57 UTC, Bjarke Istrup Pedersen (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Weber 2004-08-24 07:00:39 UTC
As told on www.egroupware.org, version 1.0.0.003 contains some security problems which are fixed in 1.0.0.004 (already out and downloadable). The ebuild should be updated and a GLSA should be published.

Reproducible: Always
Steps to Reproduce:
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-24 07:17:01 UTC
Seems to refer to this posting on bugtraq:

http://www.securityfocus.com/archive/1/372603/2004-08-21/2004-08-27/0


--------------------------------------------------------------------------- 
         Multiple Cross Site Scripting Vulnerabilities 
in eGroupWare 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
eGroupWare Version 1.0.0.003 
 
eGroupWare is a multi-user, web-based 
groupware suite developed on a custom  
set of PHP-based APIs. Currently available 
modules include: email, addressbook,are so 
equals. 
calendar, infolog (notes, to-do's, phone calls), 
content management, forum,  
bookmarks, wiki 
 
Web: http://www.egroupware.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities 
 
I will no explicate certain bugs continuosly 
because all the XSS vulnerabilities  
are equals. 
 
A1. In the calendar module the parameter "date" 
is vulnerable to an XSS  
vulnerability. The error is due to an incorrect 
sanitization of the "date" 
parameter. To try the vulnerability :  
 
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script

 
A2. In the calendar module you have an option to 
search any text. The module 
doesn't makes any sanitization of the user 
pased string. If you insert the  
following text you will see the vulnerability :  
 
	">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
A3. In the Address book module eGroupWare 
has the same problem. To try the 
vulnerability Click on Address Book (at the top of 
the web page) and in  
the search field insert the following text, in a new 
example :  
 
	"><h1>That's fun!</h1> 
 
These are the parameters that are vulnerables :  
 
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : 
 
	Field parameter  
	Filter parameter  
	QField parameter  
	Start parameter  
 
A4. The option to search between projects is 
also vulnerable. Try this :  
 
	1.- Go to 
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects

	2.- Insert "><h1>this is new, and other XSS 
vulnerability...</h1> 
 
A5. In the messenger modules (when 
composing a new message) "Subject"  
field allows potentially dangerous HTML, such 
as, in other new example :  
 
">hi<img src="http://localhost/anyimage" 
onload="javascript:alert(document.cookie)"> 
 
A6. In the Ticket module when making the same 
action (creating a new element) 
the same field (Subject) is also vulnerable.  
 
The fix: 
~~~~~~~~ 
 
Vendor is not yet contacted or I have no 
response 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-24 12:23:32 UTC
web-apps please bump to 1.0.0.004
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2004-08-24 15:54:56 UTC
Just rename the ebuild and build a digest.
Submitting new ebuild in a sec.
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2004-08-24 15:57:06 UTC
Created attachment 38123 [details]
egroupware-1.0.00.004.ebuild

ebuild
Comment 5 Renat Lumpau (RETIRED) gentoo-dev 2004-08-25 01:35:45 UTC
In CVS
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-25 01:44:34 UTC
alpha and amd64 please mark stable
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-25 14:30:10 UTC
Stable on alpha.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-31 14:19:35 UTC
***bump***
amd64 please mark stable
***bump***
Comment 9 Travis Tilley (RETIRED) gentoo-dev 2004-09-01 09:27:53 UTC
stable on amd64
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-01 09:39:09 UTC
Security this one is ready for GLSA, please draft.

Upgrading to B3 as it is a XSS.
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-09-01 13:37:59 UTC
GLSA drafted.
Comment 12 Luke Macken (RETIRED) gentoo-dev 2004-09-02 05:46:48 UTC
The security update 1.0.00.004 break the functionality from the Email application.  1.0.00.004-2 has been released to fix this problem. 

web-apps please bump to 1.0.00.004-2
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 05:48:04 UTC
Back to ebuild status
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 05:49:42 UTC
Apparently our 1.0.00.004 ebuild already uses that -2 subversion, so we're OK. Back to GLSA.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-02 13:53:42 UTC
GLSA 200409-06