{"id":12805,"date":"2005-12-06T11:06:49","date_gmt":"2005-12-06T11:06:49","guid":{"rendered":"http:\/\/gaisan.com\/blogs\/?p=12805"},"modified":"2005-12-06T11:06:49","modified_gmt":"2005-12-06T11:06:49","slug":"fw-what-happened-on-taht-site","status":"publish","type":"post","link":"http:\/\/gaisan.com\/blogs\/?p=12805","title":{"rendered":"FW: what happened on taht site"},"content":{"rendered":"

\/\/=============================
\n\/\/ Shane Dempsey
\n\/\/ Managing Director,
\n\/\/ Gaisan Technologies Ltd.
\n\/\/ e: sdempsey@gaisan.com
\n\/\/ u: http:\/\/www.gaisan.com
\n\/\/ t: +353 (0)51 304224
\n\/\/=============================<\/p>\n

—–Original Message—–
\nFrom: Shane Michael Dempsey [mailto:sdempsey@gaisan.com]
\nSent: 06 December 2005 10:57
\nTo: ‘whayes@gaisan.com’
\nSubject: what happened on taht site<\/p>\n

Here’s the exploit.. <\/p>\n

PROGRAM: Moregroupware
\nHOMEPAGE: http:\/\/www.moregroupware.com\/
\nVULNERABLE VERSIONS: 0.6.7 and prior ?
\nRISK: Low\/Medium
\nIMPACT: Cross Site Scripting
\nRELEASE DATE: 2003-06-26<\/p>\n

=================================================
\nTABLE OF CONTENTS
\n=================================================<\/p>\n

1………………………………………………….DESCRIPTION
\n2……………………………………………………..DETAILS
\n3…………………………………………………….EXPLOITS
\n4……………………………………………………SOLUTIONS
\n5…………………………………………………..WORKAROUND
\n6…………………………………………..DISCLOSURE TIMELINE
\n7……………………………………………………..CREDITS
\n8…………………………………………………..DISCLAIMER
\n9…………………………………………………..REFERENCES
\n10……………………………………………………FEEDBACK<\/p>\n

1. DESCRIPTION
\n=================================================<\/p>\n

“Some of the features that are worth being mentioned:<\/p>\n

– Contact\/address management
\n– Webmail
\n– full-featured Calendar
\n– ToDo management
\n– News
\n– Project management
\n– Some preferences for each module
\n– Skins based on Cascading Style Sheets”<\/p>\n

(direct quote from http:\/\/www.moregroupware.com)<\/p>\n

2. DETAILS
\n=================================================<\/p>\n

– Cross Site Scripting :<\/p>\n

Many exploitable bugs was found in Moregroupware which cause script
\nexecution on client’s computer.<\/p>\n

This kind of attack known as “Cross-Site Scripting Vulnerability”
\nis present in many section of the web site, an attacker can input
\nspecially crafted links and\/or other malicious scripts.<\/p>\n

– Upload files :<\/p>\n

When you upload a file on the server you can upload some html files or
\nphp files. You can grab or change some informations with this
\npossibility.<\/p>\n

3. EXPLOIT
\n=================================================<\/p>\n

– Cross Site Scripting (many pages are infected) :<\/p>\n

http:\/\/[target]\/moregroupware\/modules\/contact\/index.php?<\/p>\n

You can add a contact and put , alert(); can be
\nreplaced by a malicious script.<\/p>\n

A dialog box is opened on the client browser.<\/p>\n

Impact is relatively low, as this is a closed group application.
\nPeople having access should be ‘trustable’.<\/p>\n

– Upload files :<\/p>\n

You can upload a file like file.php:<\/p>\n

And access it directly :
\nhttp:\/\/[target]\/moregroupware\/modules\/files\/store\/file.php<\/p>\n

This file is executed on the server and the information is divulged
\nto the hacker.<\/p>\n

4. SOLUTIONS
\n=================================================<\/p>\n

– Cross Site Scripting :
\nUse the function php eregi_replace to filter the input data.<\/p>\n

5. WORKAROUND
\n=================================================<\/p>\n

– Upload files :
\nSecure this module by replacing file extension or specify to the web
\nserver not to execute this files. A better way for this problem is
\nto set permissions on the store\/directory so that only the webserver can
\nread the files. A simple fix that actually works.<\/p>\n

this wasn’t done…<\/p>\n

6. DISCLOSURE TIMELINE
\n=================================================<\/p>\n

06\/20\/2003 Vendor notified
\n06\/24\/2003 Response from the vendor and corrections added
\n06\/25\/2003 Security Corporation clients notified
\n06\/26\/2003 Public disclosure<\/p>\n

7. CREDITS
\n=================================================<\/p>\n

Discovered by Fran?ois SORIN <\/p>\n

8. DISLAIMER
\n=================================================<\/p>\n

The information within this paper may change without notice. Use of
\nthis information constitutes acceptance for use in an AS IS condition.
\nThere are NO warranties with regard to this information. In no event
\nshall the author be liable for any damages whatsoever arising out of
\nor in connection with the use or spread of this information. Any use
\nof this information is at the user’s own risk.<\/p>\n

9. REFERENCES
\n=================================================<\/p>\n

– http:\/\/www.security-corporation.com\/articles-20030626-003.html<\/p>\n","protected":false},"excerpt":{"rendered":"

\/\/============================= \/\/ Shane Dempsey \/\/ Managing Director, \/\/ Gaisan Technologies Ltd. \/\/ e: sdempsey@gaisan.com \/\/ u: http:\/\/www.gaisan.com \/\/ t: +353 (0)51 304224 \/\/============================= —–Original Message—– From: Shane Michael Dempsey [mailto:sdempsey@gaisan.com] Sent: 06 December 2005 10:57 To: ‘whayes@gaisan.com’ Subject: what happened on taht site Here’s the exploit.. PROGRAM: Moregroupware HOMEPAGE: http:\/\/www.moregroupware.com\/ VULNERABLE VERSIONS: 0.6.7 and prior […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/12805"}],"collection":[{"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12805"}],"version-history":[{"count":0,"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/12805\/revisions"}],"wp:attachment":[{"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12805"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gaisan.com\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}