Info

Disclosure

Apr 12, 2005

Discovery

Unknown

Dates

Exploit

Apr 12, 2005

Solution

Unknown

Description

eGroupware email contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an email is created with an attachment, then not sent. The attachment will be sent with the next outgoing message regardless of who sends the next mail.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Information Disclosure, Misconfiguration
Impact: Loss of Confidentiality
Exploit: Exploit Public

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: If you attach a file to a message and then decide not to send it, logout of eGroupWare then log back on before sending any new messages.

Products

eGroupWare Development Team	eGroupWare	1.001
		1.006

References

Bugtraq ID: 13137
Secunia Advisory ID: 14940
Related OSVDB ID: 15499
CVE ID: 2005-1129 (see also: NVD)
ISS X-Force ID: 20088
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0157.html
Vendor URL: http://www.egroupware.org/

Credit

MasterMind Security Group, Inc - MasterMind Security Group, Inc

Direct URL: http://osvdb.org/15499

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

eGroupWare Development Team

eGroupWare

References

Credit