--------------------------------------------------------------------------- 
         Multiple Cross Site Scripting Vulnerabilities 
in eGroupWare 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
eGroupWare Version 1.0.0.003 
 
eGroupWare is a multi-user, web-based 
groupware suite developed on a custom  
set of PHP-based APIs. Currently available 
modules include: email, addressbook,are so 
equals. 
calendar, infolog (notes, to-do's, phone calls), 
content management, forum,  
bookmarks, wiki 
 
Web: http://www.egroupware.org 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities 
 
I will no explicate certain bugs continuosly 
because all the XSS vulnerabilities  
are equals. 
 
A1. In the calendar module the parameter "date" 
is vulnerable to an XSS  
vulnerability. The error is due to an incorrect 
sanitization of the "date" 
parameter. To try the vulnerability :  
 
http://<site-with-egroupware>/egroupware/index.php?menuaction=calendar.uicalendar.day&date=20040701">&lt;script&gt;alert(document.cookie)</script 
 
A2. In the calendar module you have an option to 
search any text. The module 
doesn't makes any sanitization of the user 
pased string. If you insert the  
following text you will see the vulnerability :  
 
	">&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
A3. In the Address book module eGroupWare 
has the same problem. To try the 
vulnerability Click on Address Book (at the top of 
the web page) and in  
the search field insert the following text, in a new 
example :  
 
	"><h1>That's fun!</h1> 
 
These are the parameters that are vulnerables :  
 
At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index : 
 
	Field parameter  
	Filter parameter  
	QField parameter  
	Start parameter  
 
A4. The option to search between projects is 
also vulnerable. Try this :  
 
	1.- Go to 
http://<site-with-egroupware>/egroupware/index.php?menuaction=preferences.uiaclprefs.index&acl_app=projects 
	2.- Insert "><h1>this is new, and other XSS 
vulnerability...</h1> 
 
A5. In the messenger modules (when 
composing a new message) "Subject"  
field allows potentially dangerous HTML, such 
as, in other new example :  
 
">hi<img src="http://localhost/anyimage" 
onload="javascript:alert(document.cookie)"> 
 
A6. In the Ticket module when making the same 
action (creating a new element) 
the same field (Subject) is also vulnerable.  
 
The fix: 
~~~~~~~~ 
 
Vendor is not yet contacted or I have no 
response 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es