Multiple Cross Site Scripting Vulnerabilities in eGroupWare

Type securityvulns
Reporter Securityvulns
Modified 2004-08-25T00:00:00


     Multiple Cross Site Scripting Vulnerabilities

in eGroupWare

Author: Joxean Koret Date: 2004
Location: Basque Country

Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eGroupWare Version

eGroupWare is a multi-user, web-based groupware suite developed on a custom
set of PHP-based APIs. Currently available modules include: email, addressbook,are so equals. calendar, infolog (notes, to-do's, phone calls), content management, forum,
bookmarks, wiki


Vulnerabilities: ~~~~~~~~~~~~~~~~

A. Multiple Cross Site Scripting Vulnerabilities

I will no explicate certain bugs continuosly because all the XSS vulnerabilities
are equals.

A1. In the calendar module the parameter "date" is vulnerable to an XSS
vulnerability. The error is due to an incorrect sanitization of the "date" parameter. To try the vulnerability :


A2. In the calendar module you have an option to search any text. The module doesn't makes any sanitization of the user pased string. If you insert the
following text you will see the vulnerability :


A3. In the Address book module eGroupWare has the same problem. To try the vulnerability Click on Address Book (at the top of the web page) and in
the search field insert the following text, in a new example :

    &quot;&gt;&lt;h1&gt;That&#39;s fun!&lt;/h1&gt;

These are the parameters that are vulnerables :

At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index :

    Field parameter  
    Filter parameter  
    QField parameter  
    Start parameter

A4. The option to search between projects is also vulnerable. Try this :

    1.- Go to

http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 2.- Insert "><h1>this is new, and other XSS vulnerability...</h1>

A5. In the messenger modules (when composing a new message) "Subject"
field allows potentially dangerous HTML, such as, in other new example :

">hi<img src="http://localhost/anyimage" onload="javascript:alert(document.cookie)">

A6. In the Ticket module when making the same action (creating a new element) the same field (Subject) is also vulnerable.

The fix: ~~~~~~~~

Vendor is not yet contacted or I have no response

Contact: ~~~~~~~~

    Joxean Koret at