EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vu
Posted on 17 March 2010
========================================================================= EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vulnerabilities ========================================================================= Advisory Name: Remote Command Execution in EGroupware Vulnerability Class: Remote Command Execution Release Date: 2010-03-09 Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected. Affected Platforms: Multiple Local / Remote: Remote Severity: High – CVSS: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Researcher: Nahuel Grisol?a Vendor Status: Acknowledged / Fixed. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php Vulnerability Description: EGroupware is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-supplied input. Successful attacks can compromise the affected software and possibly the computer running EGroupware. Proof of Concept: http://server/egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/ spellchecker.php?aspell_path=cat%20/etc/passwd%20%3E%20/tmp/passwd; Parameter spellchecker_lang is also affected. Impact: Direct execution of arbitrary code in the context of Webserver user. Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309 Vendor Response: Feb 5, 2010 - CYBSEC first notification Feb 8, 2010 between Mar 7, 2010 – Multiple contacts. Mar 9, 2010 – Vendor released fixed versions. Mar 9, 2010 – Vulnerability is published. Advisory Name: Reflected Cross-Site Scripting (XSS) in EGroupware Vulnerability Class: Reflected Cross-Site Scripting (XSS) Release Date: 2010-03-09 Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected. Affected Platforms: Multiple Local / Remote: Remote Severity: Medium – CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Researcher: Nahuel Grisol?a Vendor Status: Acknowledged / Fixed. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php Vulnerability Description: A reflected Cross Site Scripting vulnerability was found in EGroupware, because the application fails to sanitize user-supplied input. The vulnerability can be triggered by any user. Proof of Concept: Working on Mozilla Firefox 3.5.7: http://server/egroupware/login.php? lang="%20style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px"%20onM ouseOver="alert(document.cookie) Impact: An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application. Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309 Vendor Response: Feb 5, 2010 - CYBSEC first notification Feb 8, 2010 between Mar 7, 2010 – Multiple contacts. Mar 9, 2010 – Vendor released fixed versions. Mar 9, 2010 – Vulnerability is published. # ~ - [ [ : Inj3ct0r : ] ]
