eGroupware Products Multiple Vulnerabilities


Description   AutoSec Tools has reported a weakness and two vulnerabilities in some eGroupware products, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks and disclose sensitive information.
1) Input passed via the "lang" parameter to phpgwapi/js/jscalendar/test.php is not properly sanitised in phpqwapi/js/jscalendar/calendar.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed via the "forward" parameter to phpgwapi/ntlm/index.php is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
3) Input passed via the "type" parameter to admin/remote.php (when "uid" and "creator_email" are set) is not properly verified in admin/inc/class.admin_cmd.inc.php before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.
The vulnerabilities are confirmed in eGroupWare version 1.8.001 and reported in eGroupWare EPL versions prior to 11.1.20110804-1. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
eGroupWare 1.xeGroupWare EPL 11.x
     
Solution   Update to a fixed versioneGroupWare 1.x:Update to version 1.8.001.20110805eGroupWare EPL 11.x:Update to version 11.1.20110804-1
     
CVE  
     
References   eGroupWare:
http://www.egroupware.org/epl-changelog
http://www.egroupware.org/changelog
AutoSec Tools:
http://www.autosectools.com/Advisories/eGroupware.1.8.001_Reflected.Cross-site.Scripting_178.html
http://www.autosectools.com/Advisory/eGroupware-1.8.001.20110421-Open-Redirect-225
http://www.autosectools.com/Advisory/eGroupware-1.8.001.20110421-Local-File-Inclusion-224
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
Misc : Directory traversal - parameter starting with ../
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
Directory traversal using ..\..
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
Directory traversal
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
Directory traversal backward root folder
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
Escaped NULL char in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2011-04-08 

 Target Type 
Server 

 Possible exploit 
Remote