|
eGroupWare Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
An exploit is not required. The following proof of concepts were supplied: For the cross-site scripting issues: http://egroupware/index.php?menuaction=addressbook.uiaddressbook.edit&ab_id=11[XSS] http://egroupware/index.php?menuaction=manual.uimanual.view&page=ManualAddressbook[XSS] http://egroupware/index.php?menuaction=forum.uiforum.post&type=new[XSS] http://egroupware/wiki/index.php?page=RecentChanges[XSS] http://egroupware/wiki/index.php?action=history&page=WikkiTikkiTavi&lang=en[XSS] http://egroupware/index.php?menuaction=wiki.uiwiki.edit&page=setup[XSS] http://egroupware/sitemgr/sitemgr-site/?category_id=4[XSS] For the SQL injection issues: http://egroupware/tts/index.php?filter=u99[SQL] http://egroupware/tts/index.php?filter=c99[SQL] http://egroupware/index.php?menuaction=preferences.uicategories.index&cats_app=foobar[SQL] |
|
|
Privacy Statement |
