• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

RETIRED: eGroupWare '_bad_protocol_once()' HTML Security Bypass Vulnerability

eGroupWare is prone to a vulnerability that allows arbitrary code to bypass HTML filtering.

An attacker can exploit this issue to execute arbitrary script code in the context of the application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions prior to eGroupWare 1.4.003 are vulnerable; other versions may also be affected.

NOTE: This BID is now retired. It has been incorporated into BID 28599 (kses Multiple Input Validation Vulnerabilities), because the underlying problems are caused by the kses HTML filter.