Multiple Cross Site Scripting Vulnerabilities in eGroupWare Aug 22 2004 02:02AM
Joxean Koret (joxeankoret yahoo es)


Multiple Cross Site Scripting Vulnerabilities

in eGroupWare


Author: Joxean Koret

Date: 2004

Location: Basque Country


Affected software description:


eGroupWare Version

eGroupWare is a multi-user, web-based

groupware suite developed on a custom

set of PHP-based APIs. Currently available

modules include: email, addressbook,are so


calendar, infolog (notes, to-do's, phone calls),

content management, forum,

bookmarks, wiki

Web: http://www.egroupware.org




A. Multiple Cross Site Scripting Vulnerabilities

I will no explicate certain bugs continuosly

because all the XSS vulnerabilities

are equals.

A1. In the calendar module the parameter "date"

is vulnerable to an XSS

vulnerability. The error is due to an incorrect

sanitization of the "date"

parameter. To try the vulnerability :


A2. In the calendar module you have an option to

search any text. The module

doesn't makes any sanitization of the user

pased string. If you insert the

following text you will see the vulnerability :


A3. In the Address book module eGroupWare

has the same problem. To try the

vulnerability Click on Address Book (at the top of

the web page) and in

the search field insert the following text, in a new

example :

"><h1>That's fun!</h1>

These are the parameters that are vulnerables :

At /egroupware/index.php?menuaction=addressbook.uiaddressbook.index :

Field parameter

Filter parameter

QField parameter

Start parameter

A4. The option to search between projects is

also vulnerable. Try this :

1.- Go to


2.- Insert "><h1>this is new, and other XSS


A5. In the messenger modules (when

composing a new message) "Subject"

field allows potentially dangerous HTML, such

as, in other new example :

">hi<img src="http://localhost/anyimage"


A6. In the Ticket module when making the same

action (creating a new element)

the same field (Subject) is also vulnerable.

The fix:


Vendor is not yet contacted or I have no





Joxean Koret at


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus