Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Multiple Cross Site Scripting Vulnerabilities in eGroupWare

Multiple Cross Site Scripting Vulnerabilities in eGroupWare

From: Joxean Koret <joxeankoret_at_yahoo.es>
Date: 22 Aug 2004 02:02:27 -0000
('binary' encoding is not supported, stored as-is) ---------------------------------------------------------------------------
         Multiple Cross Site Scripting Vulnerabilities
in eGroupWare
---------------------------------------------------------------------------
 
Author: Joxean Koret
Date: 2004
Location: Basque Country
 
---------------------------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
eGroupWare Version 1.0.0.003
 
eGroupWare is a multi-user, web-based
groupware suite developed on a custom
set of PHP-based APIs. Currently available
modules include: email, addressbook,are so
equals.
calendar, infolog (notes, to-do's, phone calls),
content management, forum,
bookmarks, wiki
 
Web: http://www.egroupware.org
 
---------------------------------------------------------------------------
 
Vulnerabilities:
~~~~~~~~~~~~~~~~
 
A. Multiple Cross Site Scripting Vulnerabilities
 
I will no explicate certain bugs continuosly
because all the XSS vulnerabilities
are equals.
 
A1. In the calendar module the parameter "date"
is vulnerable to an XSS
vulnerability. The error is due to an incorrect
sanitization of the "date"
parameter. To try the vulnerability :
 
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script
 
A2. In the calendar module you have an option to
search any text. The module
doesn't makes any sanitization of the user
pased string. If you insert the
following text you will see the vulnerability :
 
        ">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 
A3. In the Address book module eGroupWare
has the same problem. To try the
vulnerability Click on Address Book (at the top of
the web page) and in
the search field insert the following text, in a new
example :
 
        "><h1>That's fun!</h1>
 
These are the parameters that are vulnerables :
 
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index :
 
        Field parameter
        Filter parameter
        QField parameter
        Start parameter
 
A4. The option to search between projects is
also vulnerable. Try this :
 
        1.- Go to
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects
        2.- Insert "><h1>this is new, and other XSS
vulnerability...</h1>
 
A5. In the messenger modules (when
composing a new message) "Subject"
field allows potentially dangerous HTML, such
as, in other new example :
 
">hi<img src="http://localhost/anyimage"
onload="javascript:alert(document.cookie)">
 
A6. In the Ticket module when making the same
action (creating a new element)
the same field (Subject) is also vulnerable.
 
The fix:
~~~~~~~~
 
Vendor is not yet contacted or I have no
response
 
---------------------------------------------------------------------------
Contact:
~~~~~~~~
 
        Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
 
 
 
Received on Aug 23 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]