Vulnerabilities > CVE-2004-1385 - Information Disclosure vulnerability in Phpgroupware

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
phpgroupware
nessus
exploit available

Summary

phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message.

Exploit-Db

descriptionphpGroupWare 0.9.x index.php Multiple Parameter SQL Injection. CVE-2004-1385. Webapps exploit for php platform
idEDB-ID:24847
last seen2016-02-03
modified2004-12-15
published2004-12-15
reporterJames Bercegay
sourcehttps://www.exploit-db.com/download/24847/
titlephpGroupWare 0.9.x index.php Multiple Parameter SQL Injection

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200501-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200501-08 (phpGroupWare: Various vulnerabilities) Several flaws were discovered in phpGroupWare making it vulnerable to cross-site scripting attacks, SQL injection, and full path disclosure. Impact : These vulnerabilities could allow an attacker to perform cross-site scripting attacks, execute SQL queries, and disclose the full path of the web directory. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id16399
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16399
    titleGLSA-200501-08 : phpGroupWare: Various vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200501-08.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16399);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2004-1383", "CVE-2004-1384", "CVE-2004-1385");
      script_xref(name:"GLSA", value:"200501-08");
    
      script_name(english:"GLSA-200501-08 : phpGroupWare: Various vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200501-08
    (phpGroupWare: Various vulnerabilities)
    
        Several flaws were discovered in phpGroupWare making it vulnerable to
        cross-site scripting attacks, SQL injection, and full path disclosure.
      
    Impact :
    
        These vulnerabilities could allow an attacker to perform cross-site
        scripting attacks, execute SQL queries, and disclose the full path of
        the web directory.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # http://www.securityfocus.com/archive/1/384492
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.securityfocus.com/archive/1/384492"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200501-08"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All phpGroupWare users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=www-apps/phpgroupware-0.9.16.004'
        Note: Users with the vhosts USE flag set should manually use
        webapp-config to finalize the update."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpgroupware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-apps/phpgroupware", unaffected:make_list("ge 0.9.16.004"), vulnerable:make_list("lt 0.9.16.004"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpGroupWare");
    }
    
  • NASL familyCGI abuses
    NASL idPHPGROUPWARE_XSS_AND_SQL.NASL
    descriptionThe remote host seems to be running PhpGroupWare, a multi-user groupware suite written in PHP. The remote version of this software is vulnerable to multiple issues : - A cross-site scripting issue may allow an attacker to steal the credentials of third-party users of the remote host. (CVE-2004-1384) - A SQL injection vulnerability may allow an attacker to execute arbitrary SQL statements against the remote database. (CVE-2004-1383) - An information disclosure vulnerability exists that is triggered when a specially crafted URL request is sent to the
    last seen2020-06-01
    modified2020-06-02
    plugin id15983
    published2004-12-16
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15983
    titlephpGroupWare <= 0.9.16.003 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(15983);
     script_version ("1.19");
    
     script_cve_id("CVE-2004-1383", "CVE-2004-1384", "CVE-2004-1385");
     script_bugtraq_id(11952);
    
     script_name(english:"phpGroupWare <= 0.9.16.003 Multiple Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:
    "A remote web application is vulnerable to several flaws." );
     script_set_attribute(attribute:"description", value:
    "The remote host seems to be running PhpGroupWare, a multi-user
    groupware suite written in PHP. 
    
    The remote version of this software is vulnerable to multiple issues :
    
      - A cross-site scripting issue may allow an attacker to 
        steal the credentials of third-party users of the remote 
        host. (CVE-2004-1384)
    
      - A SQL injection vulnerability may allow an attacker to 
        execute arbitrary SQL statements against the remote 
        database. (CVE-2004-1383)
      
      - An information disclosure vulnerability exists that
        is triggered when a specially crafted URL request is
        sent to the 'index.php' script. (CVE-2004-1385)" );
     script_set_attribute(attribute:"solution", value:
    "Update to the newest version of this software." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/16");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/14");
     script_cvs_date("Date: 2018/07/24 18:56:11");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe",value:"cpe:/a:phpgroupware:phpgroupware");
    script_end_attributes();
    
     
     script_summary(english:"Checks the version of phpGroupWare");
     script_category(ACT_ATTACK);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"CGI abuses");
     script_dependencie("phpgroupware_detect.nasl");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    #
    # The script code starts here
    #
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    
    kb = get_kb_item("www/" + port + "/phpGroupWare");
    if ( ! kb ) exit(0);
    
    matches = eregmatch(pattern:"(.*) under (.*)", string:kb);
    if ( ereg(pattern:"^0\.([0-8][^0-9]|9\.([0-9][^0-9]|1([0-5][^0-9]|6\.(00[0-3]|RC[0-9]))))", string:matches[1]))
    {
    	security_hole(port);
    	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    }