[Full-Disclosure] [KSA-003] Cross Site Scripting Vulnerability in Phpgroupware

From: Francois SORIN (francois.sorin_at_security-corporation.com)
Date: 07/02/03

  • Next message: CORE Security Technologies Advisories: "CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability"
    To: <full-disclosure@lists.netsys.com>, <sec-adv@secunia.com>, <news@securiteam.com>, <articles@xatrix.org>, <bugs@securitytracker.com>, <vuln@security.nnov.ru>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    Date: Wed, 2 Jul 2003 18:37:37 +0200
    
    

    =================================================

    Kereval Security Advisory [KSA-003]

    Cross Site Scripting Vulnerability in Phpgroupware

    =================================================

    PROGRAM: Phpgroupware
    HOMEPAGE: http://www.phpgroupware.org/
    VULNERABLE VERSIONS: 0.9.14.003
    RISK: Low/Medium
    IMPACT: CSS
    RELEASE DATE: 2003-07-02

    =================================================
    TABLE OF CONTENTS
    =================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    =================================================

    "phpGroupWare (formerly known as webdistro) is a multi-user groupware
    suite written in PHP.

    It provides a Web-based calendar, todo-list, addressbook, email, news
    headlines, and a file manager. The calendar supports repeating events.
    The email system supports inline graphics and file attachments.

    The system as a whole supports user preferences, themes, user
    permissions, multi-language support, an advanced API, and user
    groups."

    (direct quote from http://www.phpgroupware.org)

    2. DETAILS
    =================================================

    ¤ Cross Site Scripting :

    Many exploitable bugs was found in Phpgroupware which cause script
    execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability"
    is present in many section of the web site, an attacker can input
    specially crafted links and/or other malicious scripts.

    3. EXPLOIT
    =================================================

    ¤ Cross Site Scripting :

    Affected modules : all the additionnal modules with forms.

    Ex :

    http://[target]/addressbook/index.php?

    You can add a contact and put <script>alert();</script> in the name or
    surname. If you put something in the contact label the script is
    executed at this level.

    A dialog box is oppened on the client browser.

    4. SOLUTIONS
    =================================================

    ¤ Cross Site Scripting :
    Use the function php eregi_replace to filter the input data.

    5. WORKAROUND
    =================================================

    The phpgroupware team will correct these issues in the next release.

    6. DISCLOSURE TIMELINE
    =================================================

    06/24/2003 Vendor notified
    06/25/2003 Vendor response and solutions
    07/01/2003 Vendor authorisation
    07/01/2003 Security Corporation clients notified
    07/02/2003 Public disclosure

    7. CREDITS
    =================================================

    Discovered by François SORIN <francois.sorin@security-corporation.com>

    8. DISLAIMER
    =================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    =================================================

    - http://www.security-corporation.com/articles-20030702-005.html

    10. FEEDBACK
    =================================================

    Please send suggestions, updates, and comments to:

    Kereval
    Immeuble Le Gallium
    80, avenue des Buttes de Coesmes
    35700 RENNES - FRANCE
    info@kereval.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: CORE Security Technologies Advisories: "CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability"

    Relevant Pages