Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)
Date: 21 Dec 2004 18:47:45 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL 
Injection)
------------------------------------------------------------------------


SUMMARY

 <http://www.phpgroupware.org/> phpGroupWare (formerly known as webdistro) 
is "a multi-user groupware suite written in PHP".

The phpGroupWare product has been found to contain multiple security 
vulnerabilities ranging from cross site scripting to SQL injection 
vulnerabilities.

DETAILS

Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take place in 
more than one way. One example that will trigger the path disclosure is by 
appending junk (such as metacharacters) to the end of a session id. Below 
are two other examples
http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah

This will reveal the full physical path of the web directory, and could 
possibly aid a would be attacker. The other example of path disclosure can 
be triggered by specifying an invalid menu item.

Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare.Below 
are some examples.
http://host/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%22%3E%3Ciframe%3E&msg=202
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=10%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.index&cats_app=%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.edit&cats_app=notes&extra=
&global_cats=True&cats_level=True&cat_parent=188&cat_id=188%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=email.uimessage.message&msgball[msgnum]=1%22%3E%3Ciframe%3E
&msgball[folder]=INBOX.hello&msgball[acctnum]=0&sort=1&order=1&start=0
http://host/phpgroupware/index.php?menuaction=email.uicompose.compose&fldball[folder]=INBOX.hello
&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sort=1&order=1&start=0
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Ciframe%3E

These Cross Site Scripting issues could allow an attacker to possibly 
gather sensitive information from a victim, and execute arbitrary client 
side code in the context of the victim's browser.

SQL Injection:
phpGrouWare has several SQL Injection holes. Some are not bad, some are a 
bit unorthodox, and a few are dangerous. One example of a kinda unorthodox 
SQL Injection is in the Trouble Ticket system. If an attacker requests a 
URL like this:
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]

nothing will happen, but as soon as you save the ticket you are allowed to 
influence a SELECT query which could be very bad. Some more examples of 
the not so dangerous SQL Injection issues are:
http://host/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_QUERY]&sort=ASC&filter=
&qfield=&start=&query=
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.list_projects&order=[SQL_QUERY]
&sort=ASC&filter=&qfield=&start=&query=&pro_main=&action=mains

It should be noted that other parts of this query can be tampered with 
also, such as the sort fields etc. Now for some examples of the more 
dangerous issues that let you influence the query right in the middle of a 
SELECT statement.
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]&domain=default
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32&domain=default&494fbb
http://host/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_hours&project_id=32
&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=default

You can use these particular examples to UNION select info from the 
database with little effort required. This can be bad when password hashes 
start getting pulled by an attacker, or other sensitive data. I will 
release my proof of concepts for phpGroupWare once the updated version is 
available.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:security@gulftech.org> 
GulfTech Security.
The original article can be found at:  
<http://www.gulftech.org/?node=research&article_id=00054-12142004> 
http://www.gulftech.org/?node=research&article_id=00054-12142004



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection), SecuriTeam <=
Previous by Date:  [NT] Unreachable Socket in Lithtech Engine (New Protocol), SecuriTeam
Next by Date:  [EXPL] phpBB highlight Arbitrary File Upload (Santy.A), SecuriTeam
Previous by Thread:  [NT] Unreachable Socket in Lithtech Engine (New Protocol), SecuriTeam
Next by Thread:  [EXPL] phpBB highlight Arbitrary File Upload (Santy.A), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]