1 Advisory Name: Remote Command Execution in EGroupware
2
3 Vulnerability Class: Remote Command Execution
4
5 Release Date: 2010−03−09
6
7 Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
8
9 Premium Line 9.1 and 9.2 is also affected. Other versions may also be affected.
10
11 Affected Platforms: Multiple
12
13 Local / Remote: Remote
14
15 Severity: High M−^V CVSS: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
16
17 Researcher: Nahuel Grisolía
18
19 Vendor Status: Acknowledged / Fixed.
20
21 Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
22
23 Reference to CYBSEC Security Advisories: http://www.cybsec.com/EN/research/default.php
24
25 Vulnerability Description:
26
27 EGroupware is prone to a remote command execution vulnerability because the software fails to
28 adequately sanitize user−supplied input.
29 Successful attacks can compromise the affected software and possibly the computer running
30 EGroupware.
31
32 Proof of Concept:
33
34 http://server/egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/
35 spellchecker.php?aspell_path=cat%20/etc/passwd%20%3E%20/tmp/passwd;
36
37 Parameter spellchecker_lang is also affected.
38
39 Impact:
40
41 Direct execution of arbitrary code in the context of Webserver user.
42
43 Solution: Fixed in EGroupware version 1.6.003, EPL−9.1.20100309 and EPL−9.2.20100309
44
45 Vendor Response:
46
47 Feb 5, 2010 − CYBSEC first notification
48 Feb 8, 2010 between Mar 7, 2010 M−^V Multiple contacts.
49 Mar 9, 2010 M−^V Vendor released fixed versions.
50 Mar 9, 2010 M−^V Vulnerability is published.
51
52 Advisory Name: Reflected Cross−Site Scripting (XSS) in EGroupware
Page 1/3
EGroupware 1.6.002 and EGroupware Premium Line 9.1 Multiple Vulnerabilities
Nahuel Grisolia
03/16/2010
53
54 Vulnerability Class: Reflected Cross−Site Scripting (XSS)
55
56 Release Date: 2010−03−09
57
58 Affected Applications: Confirmed in EGroupware 1.4.001+.002 and 1.6.001+.002. EGroupware
59 Premium Li