SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpGroupWare Vendors:   phpGroupWare.org
PHPGroupWare Input Validation Flaws Permit Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007095
SecurityTracker URL:  http://securitytracker.com/id/1007095
CVE Reference:   CVE-2003-0504   (Links to External Site)
Updated:  Aug 6 2003
Original Entry Date:  Jul 2 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Vendor Confirmed:  Yes  
Version(s): 0.9.14.003
Description:   Security Corporation issued a security advisory warning of an input validation vulnerability in PHPGroupWare. A remote user can conduct cross-site scripting attacks.

Francois Sorin reported that several components do not filter HTML code from user-supplied input. All of the additional modules that have forms are reportedly affected.

A remote user can insert specially crafted text into a web form field. Then, when a target user views the information, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running PHPGroupWare and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

For example, a remote user can place scripting code in the name or surname field when adding a contact.

The following notification timeline is provided:

06/24/2003 Vendor notified
06/25/2003 Vendor response and solutions
07/01/2003 Vendor authorisation
07/01/2003 Security Corporation clients notified
07/02/2003 Public disclosure

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPGroupWare software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to correct these flaws in the next release.
Vendor URL:  www.phpgroupware.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 15 2003 (Vendor Issues Fix) Re: PHPGroupWare Input Validation Flaws Permit Remote Cross-Site Scripting Attacks
The vendor has released a fix.
Aug 21 2003 (Debian Issues Fix) PHPGroupWare Input Validation Flaws Permit Remote Cross-Site Scripting Attacks
Debian has released a fix.



 Source Message Contents

Subject:  [KSA-003] Cross Site Scripting Vulnerability in Phpgroupware




=================================================

Kereval Security Advisory [KSA-003]



Cross Site Scripting Vulnerability in Phpgroupware

=================================================

PROGRAM: Phpgroupware
HOMEPAGE: http://www.phpgroupware.org/
VULNERABLE VERSIONS: 0.9.14.003
RISK: Low/Medium
IMPACT: CSS
RELEASE DATE: 2003-07-02

=================================================
TABLE OF CONTENTS
=================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
=================================================

"phpGroupWare (formerly known as webdistro) is a multi-user groupware
suite written in PHP.

It provides a Web-based calendar, todo-list, addressbook, email, news
headlines, and a file manager. The calendar supports repeating events.
The email system supports inline graphics and file attachments.

The system as a whole supports user preferences, themes, user
permissions, multi-language support, an advanced API, and user
groups."

(direct quote from http://www.phpgroupware.org)


2. DETAILS
=================================================


Many exploitable bugs was found in Phpgroupware which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability"
is present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.


3. EXPLOIT
=================================================


Affected modules : all the additionnal modules with forms.

Ex :

http://[target]/addressbook/index.php?

You can add a contact and put <script>alert();</script> in the name or
surname. If you put something in the contact label the script is
executed at this level.

A dialog box is oppened on the client browser.


4. SOLUTIONS
=================================================

Use the function php eregi_replace to filter the input data.


5. WORKAROUND
=================================================

The phpgroupware team will correct these issues in the next release.


6. DISCLOSURE TIMELINE
=================================================

06/24/2003 Vendor notified
06/25/2003 Vendor response and solutions
07/01/2003 Vendor authorisation
07/01/2003 Security Corporation clients notified
07/02/2003 Public disclosure


7. CREDITS
=================================================



8. DISLAIMER
=================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
=================================================

- http://www.security-corporation.com/articles-20030702-005.html


10. FEEDBACK
=================================================

Please send suggestions, updates, and comments to:

Kereval
Immeuble Le Gallium
80, avenue des Buttes de Coesmes
35700 RENNES - FRANCE
info@kereval.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC