MasterMind Security Group, Inc.
Security Brief

Date: April 7, 2005
Contact: Gerald Quakenbush <geraldq AT mastermindsecuritygroup.com>
Severity: Moderate to Serious
Product: Confirmed in eGroupWare 1.001 and 1.006

Synopsis
========
The eGroupWare open-source software (www.egroupware.org) has a flaw that could
expose confidential information.

The eGroupWare suite provides many applications via a web interface. One such
application is for email. A flaw in this application could result in the
unwitting disclosure of files.

If a user composes a message and attaches a file, then decides not to send the
message, the attachment will get sent to the next person the user emails.
There is no indication in the message window that the file from the previous
message is still attached, unless the user clicks on the button to attach a
file to the second message.

Mitigation
==========
Until a patch is issued to resolve the problem, be aware of this issue. If you
attach a file to a message and then decide not to send it, logout of
eGroupWare then log back on before sending any new messages.

Walk Through
============

Login to eGroupWare using an account that has email configured.

Step 1. After logging in, select the email icon on the tool bar.

Step 2. Click the Compose button to create a new message and attach a file. Do
NOT click Send.

Step 3. Without sending the message, return to the inbox. You can click the
inbox link on the left of the email icon on the toolbar.

Step 4. You are now back at the main inbox screen. Click on the Compose link
again.

Step 5. Enter an email address (a personal account or one of a trusted friend,
preferably), a subject and brief message if you like and click Send.

Step 6. Now check the email for the account you sent the message to above. The
attachment from the canceled message in step 2 will be attached.

-Quake

-- 
------------------------------------
Gerald Quakenbush, CISSP, NSA-IAM
MasterMind Security Group, Inc.
888.295.6012 x701
http://www.mastermindsecuritygroup.com