EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vulnerability

2010-03-17
ID: 11339
CVE: None
Download vulnerable application: None
EGroupware 1.6.002 / EGroupware Premium Line 9.1 Multiple Vulnerabilities
=========================================================================
 Advisory Name: Remote Command Execution in EGroupware
  Vulnerability Class: Remote Command Execution
  Release Date: 2010-03-09
  Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
  Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
  Affected Platforms: Multiple
  Local / Remote: Remote
  Severity: High – CVSS: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  Researcher: Nahuel Grisol?a
  Vendor Status: Acknowledged / Fixed.
  Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
  Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
  Vulnerability Description:
  EGroupware is prone to a remote command execution vulnerability because the software fails to
adequately sanitize user-supplied input.
Successful attacks can compromise the affected software and possibly the computer running
EGroupware.
  Proof of Concept:
  http://server/egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/
spellchecker.php?aspell_path=cat%20/etc/passwd%20%3E%20/tmp/passwd;
  Parameter spellchecker_lang is also affected.
  Impact:
  Direct execution of arbitrary code in the context of Webserver user.
  Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309
  Vendor Response:
  Feb 5, 2010 - CYBSEC first notification
Feb 8, 2010 between Mar 7, 2010 – Multiple contacts.
Mar 9, 2010 – Vendor released fixed versions.
Mar 9, 2010 – Vulnerability is published.
  Advisory Name: Reflected Cross-Site Scripting (XSS) in EGroupware
  Vulnerability Class: Reflected Cross-Site Scripting (XSS)
  Release Date: 2010-03-09
  Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
  Affected Platforms: Multiple
  Local / Remote: Remote
  Severity: Medium – CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
  Researcher: Nahuel Grisol?a
  Vendor Status: Acknowledged / Fixed.
  Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
  Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
  Vulnerability Description:
  A reflected Cross Site Scripting vulnerability was found in EGroupware, because the application fails
to sanitize user-supplied input. The vulnerability can be triggered by any user.
  Proof of Concept:
  Working on Mozilla Firefox 3.5.7:
http://server/egroupware/login.php?
lang="%20style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px"%20onM
ouseOver="alert(document.cookie)
  Impact:
  An affected user may unintentionally execute scripts or actions written by an attacker. In addition, an
attacker may obtain authorization cookies that would allow him to gain unauthorized access to the
application.
  Solution: Fixed in EGroupware version 1.6.003, EPL-9.1.20100309 and EPL-9.2.20100309
  Vendor Response:
  Feb 5, 2010 - CYBSEC first notification
Feb 8, 2010 between Mar 7, 2010 – Multiple contacts.
Mar 9, 2010 – Vendor released fixed versions.
Mar 9, 2010 – Vulnerability is published.
1-4-2 (www02)