Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

eGroupWare_infoleak.txt

🗓️ 18 Apr 2005 00:00:00Reported by Gerald QuakenbushType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

The eGroupWare open-source software has a flaw that could expose confidential information by unintentionally sending attachments in emails

Code
`MasterMind Security Group, Inc.  
Security Brief  
  
Date: April 7, 2005  
Contact: Gerald Quakenbush <geraldq AT mastermindsecuritygroup.com>  
Severity: Moderate to Serious  
Product: Confirmed in eGroupWare 1.001 and 1.006  
  
Synopsis  
========  
The eGroupWare open-source software (www.egroupware.org) has a flaw that could  
expose confidential information.  
  
The eGroupWare suite provides many applications via a web interface. One such  
application is for email. A flaw in this application could result in the  
unwitting disclosure of files.  
  
If a user composes a message and attaches a file, then decides not to send the  
message, the attachment will get sent to the next person the user emails.  
There is no indication in the message window that the file from the previous  
message is still attached, unless the user clicks on the button to attach a  
file to the second message.  
  
Mitigation  
==========  
Until a patch is issued to resolve the problem, be aware of this issue. If you  
attach a file to a message and then decide not to send it, logout of  
eGroupWare then log back on before sending any new messages.  
  
Walk Through  
============  
  
Login to eGroupWare using an account that has email configured.  
  
Step 1. After logging in, select the email icon on the tool bar.  
  
Step 2. Click the Compose button to create a new message and attach a file. Do  
NOT click Send.  
  
Step 3. Without sending the message, return to the inbox. You can click the  
inbox link on the left of the email icon on the toolbar.  
  
Step 4. You are now back at the main inbox screen. Click on the Compose link  
again.  
  
Step 5. Enter an email address (a personal account or one of a trusted friend,  
preferably), a subject and brief message if you like and click Send.  
  
Step 6. Now check the email for the account you sent the message to above. The  
attachment from the canceled message in step 2 will be attached.  
  
-Quake  
  
--   
------------------------------------  
Gerald Quakenbush, CISSP, NSA-IAM  
MasterMind Security Group, Inc.  
888.295.6012 x701  
http://www.mastermindsecuritygroup.com  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Apr 2005 00:00Current
7.4High risk
Vulners AI Score7.4
egroupwareinformation disclosureemail attachment issueweb interfacesecurity flawmitigationpatchwalk through
24