--------------------------------------------------------------------------- Multiple Cross Site Scripting Vulnerabilities in eGroupWare --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ eGroupWare Version 1.0.0.003 eGroupWare is a multi-user, web-based groupware suite developed on a custom set of PHP-based APIs. Currently available modules include: email, addressbook,are so equals. calendar, infolog (notes, to-do's, phone calls), content management, forum, bookmarks, wiki Web: http://www.egroupware.org --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities I will no explicate certain bugs continuosly because all the XSS vulnerabilities are equals. A1. In the calendar module the parameter "date" is vulnerable to an XSS vulnerability. The error is due to an incorrect sanitization of the "date" parameter. To try the vulnerability : http:///egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701"><script>alert(document.cookie)<script>alert(document.cookie)</script> A3. In the Address book module eGroupWare has the same problem. To try the vulnerability Click on Address Book (at the top of the web page) and in the search field insert the following text, in a new example : ">

That's fun!

These are the parameters that are vulnerables : At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : Field parameter Filter parameter QField parameter Start parameter A4. The option to search between projects is also vulnerable. Try this : 1.- Go to http:///egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 2.- Insert ">

this is new, and other XSS vulnerability...

A5. In the messenger modules (when composing a new message) "Subject" field allows potentially dangerous HTML, such as, in other new example : ">hi A6. In the Ticket module when making the same action (creating a new element) the same field (Subject) is also vulnerable. The fix: ~~~~~~~~ Vendor is not yet contacted or I have no response --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es