phpGroupWare.txt

2004-12-30T00:00:00
ID PACKETSTORM:35347
Type packetstorm
Reporter James Bercegay
Modified 2004-12-30T00:00:00

Description

                                        
                                            `  
  
##########################################################  
# GulfTech Security Research December 14th, 2004  
##########################################################  
# Vendor : phpGroupWare  
# URL : http://www.phpgroupware.org  
# Version : phpGroupWare 0.9.16.003  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
Description:  
phpGroupWare (formerly known as webdistro) is a multi-user   
groupware suite written in PHP. It provides a Web-based calendar,   
todo-list, addressbook, email, news headlines, and a file manager.   
The calendar supports repeating events. The email system supports   
inline graphics and file attachments. The system as a whole supports   
user preferences, themes, user permissions, multi-language support,   
an advanced API, and user groups. phpGroupWare is included with some   
Linux distributions.  
  
  
  
Path Disclosure:  
phpGroupWare allows for full path disclosure. This issue can take   
place in more than one way. One example that will trigger the path   
disclosure is by appending junk (such as metacharacters) to the end   
of a session id. Below are two other examples  
  
http://host/phpgroupware/preferences/preferences.php?appname=blah  
http://host/phpgroupware/index.php?menuaction=blah  
  
This will reveal the full physical path of the web directory, and   
could possibly aid a would be attacker. The other example of path  
disclosure can be triggered by specifying an invalid menu item.  
  
  
  
Cross Site Scripting:  
Cross Site Scripting takes place in multiple places in phpGroupWare.  
Below are some examples.  
  
http://host/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11  
%22%3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22  
%3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%  
3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%  
22%3E%3Ciframe%3E&msg=202  
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=  
10%22%3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.index  
&cats_app=%22%3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.edit&  
cats_app=notes&extra=&global_cats=True&cats_level=True&cat_parent=188&cat_id  
=188%22%3E%3Ciframe%3E  
http://host/phpgroupware/index.php?menuaction=email.uimessage.message&msgbal  
l[msgnum]=1%22%3E%3Ciframe%3E&msgball[folder]=INBOX.hello&msgball[acctnum]=0  
&sort=1&order=1&start=0  
http://host/phpgroupware/index.php?menuaction=email.uicompose.compose&fldbal  
l[folder]=INBOX.hello&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sor  
t=1&order=1&start=0  
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Cif  
rame%3E  
  
These Cross Site Scripting issues could allow an attacker to possibly   
gather sensitive information from a victim, and execute arbitrary client   
side code in the context of the victim's browser.  
  
  
  
SQL Injection:  
phpGrouWare has several SQL Injection holes. Some are not bad, some are   
a bit unorthadox, and a few are dangerous. One example of a kinda unorthadox  
  
SQL Injection is in the Trouble Ticket system. If an attacker requests a url  
  
like this:  
  
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]  
  
nothing will happen, but as soon as you save the ticket you are allowed to   
influence a SELECT query which could be very bad. Some more examples of the   
not so dangerous SQL Injection issues are:  
  
http://host/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_Q  
UERY]&sort=ASC&filter=&qfield=&start=&query=  
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.list_proje  
cts&order=[SQL_QUERY]&sort=ASC&filter=&qfield=&start=&query=&pro_main=&actio  
n=mains  
  
It should be noted that other parts of this query can be tampered with also,  
  
such as the sort fields etc. Now for some examples of the more dangerous   
issues that let you influence the query right in the middle of a SELECT  
statement.  
  
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje  
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]  
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje  
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32  
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje  
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]&domain=default  
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje  
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32&domain=default&494fbb  
http://host/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_h  
ours&project_id=32&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=def  
ault  
  
You can use these particular examples to UNION select info from the database  
with  
little effort required. This can be bad when password hashes start getting  
pulled  
by an attacker, or other sensitive data. I will release my proof of concepts  
for  
phpGroupWare once the updated version is available.  
  
  
  
Notes:  
All of the example url's had the session id, click history, and kp3  
variables   
removed except where they were part of one of the examples. I also wrapped a  
few of the above examples for readability.  
  
  
  
Solution:  
I was able to speak to one of the lead developers via IRC on September 25th,  
2004. I made the developer aware of the vulnerabilities, and held off on   
publishing my findings for a couple of months. I have not been able to get  
in  
touch with any developers for some weeks now, so I publish my finding in  
hopes   
that the community will present a fix :)   
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00054-12142004  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
--   
No virus found in this outgoing message.  
Checked by AVG Anti-Virus.  
Version: 7.0.296 / Virus Database: 265.5.0 - Release Date: 12/9/2004  
  
  
`