Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple Cross Site Scripting Vulnerabilities in eGroupWare

from [Joxean Koret] Network Security [Permanent Link]
Subject: Multiple Cross Site Scripting Vulnerabilities in eGroupWare
Date: 22 Aug 2004 02:02:27 -0000 


--------------------------------------------------------------------------- 
         Multiple Cross Site Scripting Vulnerabilities 
in eGroupWare 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
eGroupWare Version 1.0.0.003 
 
eGroupWare is a multi-user, web-based 
groupware suite developed on a custom  
set of PHP-based APIs. Currently available 
modules include: email, addressbook,are so 
equals. 
calendar, infolog (notes, to-do's, phone calls), 
content management, forum,  
bookmarks, wiki 
 
Web: http://www.egroupware.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities 
 
I will no explicate certain bugs continuosly 
because all the XSS vulnerabilities  
are equals. 
 
A1. In the calendar module the parameter "date" 
is vulnerable to an XSS  
vulnerability. The error is due to an incorrect 
sanitization of the "date" 
parameter. To try the vulnerability :  
 
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script
 
 
A2. In the calendar module you have an option to 
search any text. The module 
doesn't makes any sanitization of the user 
pased string. If you insert the  
following text you will see the vulnerability :  
 
        ">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
A3. In the Address book module eGroupWare 
has the same problem. To try the 
vulnerability Click on Address Book (at the top of 
the web page) and in  
the search field insert the following text, in a new 
example :  
 
        "><h1>That's fun!</h1> 
 
These are the parameters that are vulnerables :  
 
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : 
 
        Field parameter  
        Filter parameter  
        QField parameter  
        Start parameter  
 
A4. The option to search between projects is 
also vulnerable. Try this :  
 
        1.- Go to 
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects
 
        2.- Insert "><h1>this is new, and other XSS 
vulnerability...</h1> 
 
A5. In the messenger modules (when 
composing a new message) "Subject"  
field allows potentially dangerous HTML, such 
as, in other new example :  
 
">hi<img src="http://localhost/anyimage"; 
onload="javascript:alert(document.cookie)"> 
 
A6. In the Ticket module when making the same 
action (creating a new element) 
the same field (Subject) is also vulnerable.  
 
The fix: 
~~~~~~~~ 
 
Vendor is not yet contacted or I have no 
response 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple Cross Site Scripting Vulnerabilities in eGroupWare, Joxean Koret <=
Previous by Date:  Re: Fwd: Re: Posible security bug in phpMyWebhosting, Matias Neiff
Next by Date:  New google's top query?, Jérôme
Previous by Thread:  DoS in Bird Chat 1.61, Donato Ferrante
Next by Thread:  New google's top query?, Jérôme
Indexes:  [Date] [Thread] [Top] [All Lists]