Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61510 - www-apps/egroupware: Security update request: fixes security problem
Summary: www-apps/egroupware: Security update request: fixes security problem
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2004-08-24 07:00 UTC by Tim Weber
Modified: 2011-10-30 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

egroupware- (egroupware-,1.28 KB, text/plain)
2004-08-24 15:57 UTC, Bjarke Istrup Pedersen (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Weber 2004-08-24 07:00:39 UTC
As told on, version contains some security problems which are fixed in (already out and downloadable). The ebuild should be updated and a GLSA should be published.

Reproducible: Always
Steps to Reproduce:
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-24 07:17:01 UTC
Seems to refer to this posting on bugtraq:

         Multiple Cross Site Scripting Vulnerabilities 
in eGroupWare 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
Affected software description: 
eGroupWare Version 
eGroupWare is a multi-user, web-based 
groupware suite developed on a custom  
set of PHP-based APIs. Currently available 
modules include: email, addressbook,are so 
calendar, infolog (notes, to-do's, phone calls), 
content management, forum,  
bookmarks, wiki 
A. Multiple Cross Site Scripting Vulnerabilities 
I will no explicate certain bugs continuosly 
because all the XSS vulnerabilities  
are equals. 
A1. In the calendar module the parameter "date" 
is vulnerable to an XSS  
vulnerability. The error is due to an incorrect 
sanitization of the "date" 
parameter. To try the vulnerability :  

A2. In the calendar module you have an option to 
search any text. The module 
doesn't makes any sanitization of the user 
pased string. If you insert the  
following text you will see the vulnerability :  
A3. In the Address book module eGroupWare 
has the same problem. To try the 
vulnerability Click on Address Book (at the top of 
the web page) and in  
the search field insert the following text, in a new 
example :  
	"><h1>That's fun!</h1> 
These are the parameters that are vulnerables :  
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : 
	Field parameter  
	Filter parameter  
	QField parameter  
	Start parameter  
A4. The option to search between projects is 
also vulnerable. Try this :  
	1.- Go to 

	2.- Insert "><h1>this is new, and other XSS 
A5. In the messenger modules (when 
composing a new message) "Subject"  
field allows potentially dangerous HTML, such 
as, in other new example :  
">hi<img src="http://localhost/anyimage" 
A6. In the Ticket module when making the same 
action (creating a new element) 
the same field (Subject) is also vulnerable.  
The fix: 
Vendor is not yet contacted or I have no 
	Joxean Koret at 
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-24 12:23:32 UTC
web-apps please bump to
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2004-08-24 15:54:56 UTC
Just rename the ebuild and build a digest.
Submitting new ebuild in a sec.
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2004-08-24 15:57:06 UTC
Created attachment 38123 [details]

Comment 5 Renat Lumpau (RETIRED) gentoo-dev 2004-08-25 01:35:45 UTC
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-25 01:44:34 UTC
alpha and amd64 please mark stable
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-25 14:30:10 UTC
Stable on alpha.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 14:19:35 UTC
amd64 please mark stable
Comment 9 Travis Tilley (RETIRED) gentoo-dev 2004-09-01 09:27:53 UTC
stable on amd64
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-01 09:39:09 UTC
Security this one is ready for GLSA, please draft.

Upgrading to B3 as it is a XSS.
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-09-01 13:37:59 UTC
GLSA drafted.
Comment 12 Luke Macken (RETIRED) gentoo-dev 2004-09-02 05:46:48 UTC
The security update break the functionality from the Email application. has been released to fix this problem. 

web-apps please bump to
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 05:48:04 UTC
Back to ebuild status
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 05:49:42 UTC
Apparently our ebuild already uses that -2 subversion, so we're OK. Back to GLSA.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-02 13:53:42 UTC
GLSA 200409-06