[UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)

• Previous message: SecuriTeam: "[NT] Unreachable Socket in Lithtech Engine (New Protocol)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 Dec 2004 18:47:45 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL
Injection)
------------------------------------------------------------------------

SUMMARY

 <http://www.phpgroupware.org/> phpGroupWare (formerly known as webdistro)
is "a multi-user groupware suite written in PHP".

The phpGroupWare product has been found to contain multiple security
vulnerabilities ranging from cross site scripting to SQL injection
vulnerabilities.

DETAILS

Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take place in
more than one way. One example that will trigger the path disclosure is by
appending junk (such as metacharacters) to the end of a session id. Below
are two other examples
http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah

This will reveal the full physical path of the web directory, and could
possibly aid a would be attacker. The other example of path disclosure can
be triggered by specifying an invalid menu item.

Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare.Below
are some examples.
http://host/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%22%3E%3Ciframe%3E&msg=202
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=10%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.index&cats_app=%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.edit&cats_app=notes&extra=
&global_cats=True&cats_level=True&cat_parent=188&cat_id=188%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=email.uimessage.message&msgball[msgnum]=1%22%3E%3Ciframe%3E
&msgball[folder]=INBOX.hello&msgball[acctnum]=0&sort=1&order=1&start=0
http://host/phpgroupware/index.php?menuaction=email.uicompose.compose&fldball[folder]=INBOX.hello
&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sort=1&order=1&start=0
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Ciframe%3E

These Cross Site Scripting issues could allow an attacker to possibly
gather sensitive information from a victim, and execute arbitrary client
side code in the context of the victim's browser.

SQL Injection:
phpGrouWare has several SQL Injection holes. Some are not bad, some are a
bit unorthodox, and a few are dangerous. One example of a kinda unorthodox
SQL Injection is in the Trouble Ticket system. If an attacker requests a
URL like this:
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]

nothing will happen, but as soon as you save the ticket you are allowed to
influence a SELECT query which could be very bad. Some more examples of
the not so dangerous SQL Injection issues are:
http://host/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_QUERY]&sort=ASC&filter=
&qfield=&start=&query=
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.list_projects&order=[SQL_QUERY]
&sort=ASC&filter=&qfield=&start=&query=&pro_main=&action=mains

It should be noted that other parts of this query can be tampered with
also, such as the sort fields etc. Now for some examples of the more
dangerous issues that let you influence the query right in the middle of a
SELECT statement.
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]&domain=default
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32&domain=default&494fbb
http://host/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_hours&project_id=32
&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=default

You can use these particular examples to UNION select info from the
database with little effort required. This can be bad when password hashes
start getting pulled by an attacker, or other sensitive data. I will
release my proof of concepts for phpGroupWare once the updated version is
available.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org>
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00054-12142004>
http://www.gulftech.org/?node=research&article_id=00054-12142004

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Unreachable Socket in Lithtech Engine (New Protocol)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [DRUPAL-SA-2007-018] Drupal 4.7.7 and 5.2 fix multiple cross site scripting vulnerabilit
  ... Both vulnerabilities are know as cross site scripting. ... The server
  variables issue was reported by David Caylor. ... The security team whishes to thank
  Dave, Morten Wulff, Brenda Wallace, ... (Bugtraq)
• Re: [Full-disclosure] WebScarab <= 20060621-0003 cross site scripting
  ... SECURITY at MORITZ hyphon NAUMANN d0t COM ... WebScarab is subject to
  a client side script code injection ... Cross Site Scripting, also known as XSS
  or CSS, describes ... (Full-Disclosure)
• Re: WebScarab <= 20060621-0003 cross site scripting
  ... SECURITY at MORITZ hyphon NAUMANN d0t COM ... WebScarab is subject to
  a client side script code injection ... Cross Site Scripting, also known as XSS
  or CSS, describes ... (Bugtraq)
• Re: ADP PICK database connect to SQL
  ... You are taking a terribly narrow view of security. ... worse) your server.
  ... Google around for cross site scripting exploits. ... your 'secure' web UI's
  techniques and can be _very_ nasty. ... (comp.databases.pick)
• [Full-disclosure] WebScarab <= 20060621-0003 cross site scripting
  ... SECURITY at MORITZ hyphon NAUMANN d0t COM ... WebScarab is subject to
  a client side script code injection ... Cross Site Scripting, also known as XSS
  or CSS, describes ... (Full-Disclosure)