=================================================

Kereval Security Advisory [KSA-003]



Cross Site Scripting Vulnerability in Phpgroupware

=================================================

PROGRAM: Phpgroupware
HOMEPAGE: http://www.phpgroupware.org/
VULNERABLE VERSIONS: 0.9.14.003
RISK: Low/Medium
IMPACT: CSS
RELEASE DATE: 2003-07-02

=================================================
TABLE OF CONTENTS
=================================================

1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK

1. DESCRIPTION
=================================================

"phpGroupWare (formerly known as webdistro) is a multi-user groupware
suite written in PHP.

It provides a Web-based calendar, todo-list, addressbook, email, news
headlines, and a file manager. The calendar supports repeating events.
The email system supports inline graphics and file attachments.

The system as a whole supports user preferences, themes, user
permissions, multi-language support, an advanced API, and user
groups."

(direct quote from http://www.phpgroupware.org)


2. DETAILS
=================================================

¤ Cross Site Scripting :

Many exploitable bugs was found in Phpgroupware which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability"
is present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.


3. EXPLOIT
=================================================

¤ Cross Site Scripting :

Affected modules : all the additionnal modules with forms.

Ex :

http://[target]/addressbook/index.php?

You can add a contact and put <script>alert();</script> in the name or
surname. If you put something in the contact label the script is
executed at this level.

A dialog box is oppened on the client browser.


4. SOLUTIONS
=================================================

¤ Cross Site Scripting :
Use the function php eregi_replace to filter the input data.


5. WORKAROUND
=================================================

The phpgroupware team will correct these issues in the next release.


6. DISCLOSURE TIMELINE
=================================================

06/24/2003 Vendor notified
06/25/2003 Vendor response and solutions
07/01/2003 Vendor authorisation
07/01/2003 Security Corporation clients notified
07/02/2003 Public disclosure


7. CREDITS
=================================================

Discovered by François SORIN <francois.sorin@security-corporation.com>


8. DISLAIMER
=================================================

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


9. REFERENCES
=================================================

- http://www.security-corporation.com/articles-20030702-005.html


10. FEEDBACK
=================================================

Please send suggestions, updates, and comments to:

Kereval
Immeuble Le Gallium
80, avenue des Buttes de Coesmes
35700 RENNES - FRANCE
info@kereval.com