信息来源:
www.securiteam.com
Summary
phpGroupWare (formerly known as webdistro) is "a multi-user groupware suite written in PHP".
The phpGroupWare product has been found to contain multiple security vulnerabilities ranging from cross site scripting to SQL injection vulnerabilities.
Details
Path Disclosure:
phpGroupWare allows for full path disclosure. This issue can take place in more than one way. One example that will trigger the path disclosure is by appending junk (such as metacharacters) to the end of a session id. Below are two other examples
http://host/phpgroupware/preferences/preferences.php?appname=blah
http://host/phpgroupware/index.php?menuaction=blah
This will reveal the full physical path of the web directory, and could possibly aid a would be attacker. The other example of path disclosure can be triggered by specifying an invalid menu item.
Cross Site Scripting:
Cross Site Scripting takes place in multiple places in phpGroupWare.Below are some examples.
http://host/phpgroupware/wiki/in ... 1%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... w%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... 2%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... rame%3E&msg=202
http://host/phpgroupware/index.p ... 0%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... =%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... pp=notes&extra=
&global_cats=True&cats_level=True&cat_parent=188&cat_id=188%22%3E%3Ciframe%3E
http://host/phpgroupware/index.p ... message&msgball[msgnum]=1%22%3E%3Ciframe%3E
&msgball[folder]=INBOX.hello&msgball[acctnum]=0&sort=1&order=1&start=0
http://host/phpgroupware/index.p ... compose&fldball[folder]=INBOX.hello
&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sort=1&order=1&start=0
http://host/phpgroupware/tts/vie ... 8%22%3E%3Ciframe%3E
These Cross Site Scripting issues could allow an attacker to possibly gather sensitive information from a victim, and execute arbitrary client side code in the context of the victim's browser.
SQL Injection:
phpGrouWare has several SQL Injection holes. Some are not bad, some are a bit unorthodox, and a few are dangerous. One example of a kinda unorthodox SQL Injection is in the Trouble Ticket system. If an attacker requests a URL like this:
http://host/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]
nothing will happen, but as soon as you save the ticket you are allowed to influence a SELECT query which could be very bad. Some more examples of the not so dangerous SQL Injection issues are:
http://host/phpgroupware/index.p ... how_list&order=[SQL_QUERY]&sort=ASC&filter=
&qfield=&start=&query=
http://host/phpgroupware/index.p ... projects&order=[SQL_QUERY]
&sort=ASC&filter=&qfield=&start=&query=&pro_main=&action=mains
It should be noted that other parts of this query can be tampered with also, such as the sort fields etc. Now for some examples of the more dangerous issues that let you influence the query right in the middle of a SELECT statement.
http://host/phpgroupware/index.p ... ect&pro_main=31
&action=subs&project_id=32[SQL_QUERY]
http://host/phpgroupware/index.p ... ect&pro_main=31[SQL_QUERY]
&action=subs&project_id=32
http://host/phpgroupware/index.p ... ect&pro_main=31
&action=subs&project_id=32[SQL_QUERY]&domain=default
http://host/phpgroupware/index.p ... ect&pro_main=31[SQL_QUERY]
&action=subs&project_id=32&domain=default&494fbb
http://host/phpgroupware/index.p ... s&project_id=32
&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=default
You can use these particular examples to UNION select info from the database with little effort required. This can be bad when password hashes start getting pulled by an attacker, or other sensitive data. I will release my proof of concepts for phpGroupWare once the updated version is available.
Additional information
The information has been provided by GulfTech Security. The original article can be found at:
http://www.gulftech.org/?node=re ... e_id=00054-12142004
