Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

kereval.phpgroup.txt

πŸ—“οΈΒ 04 Jul 2003Β 00:00:00Reported byΒ Francois SORINTypeΒ 
packetstorm
Β packetstormπŸ”—Β packetstormsecurity.comπŸ‘Β 29Β Views

Cross Site Scripting Vulnerability identified in Phpgroupware version 0.9.14.003, with low/medium risk.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`=================================================  
  
Kereval Security Advisory [KSA-003]  
  
  
  
Cross Site Scripting Vulnerability in Phpgroupware  
  
=================================================  
  
PROGRAM: Phpgroupware  
HOMEPAGE: http://www.phpgroupware.org/  
VULNERABLE VERSIONS: 0.9.14.003  
RISK: Low/Medium  
IMPACT: CSS  
RELEASE DATE: 2003-07-02  
  
=================================================  
TABLE OF CONTENTS  
=================================================  
  
1..........................................................DESCRIPTION  
2..............................................................DETAILS  
3.............................................................EXPLOITS  
4............................................................SOLUTIONS  
5...........................................................WORKAROUND  
6..................................................DISCLOSURE TIMELINE  
7..............................................................CREDITS  
8...........................................................DISCLAIMER  
9...........................................................REFERENCES  
10............................................................FEEDBACK  
  
1. DESCRIPTION  
=================================================  
  
"phpGroupWare (formerly known as webdistro) is a multi-user groupware  
suite written in PHP.  
  
It provides a Web-based calendar, todo-list, addressbook, email, news  
headlines, and a file manager. The calendar supports repeating events.  
The email system supports inline graphics and file attachments.  
  
The system as a whole supports user preferences, themes, user  
permissions, multi-language support, an advanced API, and user  
groups."  
  
(direct quote from http://www.phpgroupware.org)  
  
  
2. DETAILS  
=================================================  
  
Β€ Cross Site Scripting :  
  
Many exploitable bugs was found in Phpgroupware which cause script  
execution on client's computer by following a crafted url.  
  
This kind of attack known as "Cross-Site Scripting Vulnerability"  
is present in many section of the web site, an attacker can input  
specially crafted links and/or other malicious scripts.  
  
  
3. EXPLOIT  
=================================================  
  
Β€ Cross Site Scripting :  
  
Affected modules : all the additionnal modules with forms.  
  
Ex :  
  
http://[target]/addressbook/index.php?  
  
You can add a contact and put <script>alert();</script> in the name or  
surname. If you put something in the contact label the script is  
executed at this level.  
  
A dialog box is oppened on the client browser.  
  
  
4. SOLUTIONS  
=================================================  
  
Β€ Cross Site Scripting :  
Use the function php eregi_replace to filter the input data.  
  
  
5. WORKAROUND  
=================================================  
  
The phpgroupware team will correct these issues in the next release.  
  
  
6. DISCLOSURE TIMELINE  
=================================================  
  
06/24/2003 Vendor notified  
06/25/2003 Vendor response and solutions  
07/01/2003 Vendor authorisation  
07/01/2003 Security Corporation clients notified  
07/02/2003 Public disclosure  
  
  
7. CREDITS  
=================================================  
  
Discovered by FranΓ§ois SORIN <[email protected]>  
  
  
8. DISLAIMER  
=================================================  
  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are NO warranties with regard to this information. In no event  
shall the author be liable for any damages whatsoever arising out of  
or in connection with the use or spread of this information. Any use  
of this information is at the user's own risk.  
  
  
9. REFERENCES  
=================================================  
  
- http://www.security-corporation.com/articles-20030702-005.html  
  
  
10. FEEDBACK  
=================================================  
  
Please send suggestions, updates, and comments to:  
  
Kereval  
Immeuble Le Gallium  
80, avenue des Buttes de Coesmes  
35700 RENNES - FRANCE  
[email protected]  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
04 Jul 2003 00:00Current
7.4High risk
Vulners AI Score7.4
cross site scriptingphpgroupwarevulnerable versionslow riskmedium risksecurity advisory.
29
.json
Report