phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.

The remote host is affected by the vulnerability described in GLSA-201412-10 (Multiple packages, Multiple vulnerabilities fixed in 2012)

    Vulnerabilities have been discovered in the packages listed below.
      Please review the CVE identifiers in the Reference section for details.
      EGroupware       VTE       Layer Four Traceroute (LFT)       Suhosin       Slock       Ganglia       Jabber to GaduGadu Gateway   Impact :

    A context-dependent attacker may be able to gain escalated privileges,       execute arbitrary code, cause Denial of Service, obtain sensitive       information, or otherwise bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

The remote web server is hosting eGroupWare, a web based groupware application written in PHP.  The installed version is earlier than 1.6.003.  Such versions are potentially affected by multiple vulnerabilities : 

  - A remote command execution vulnerability in the 'spellchecker_lang' and 'aspell_path' parameters of the 'spellchecker.php' script.

  - A cross-site scripting vulnerability in the 'lang' parameter of the 'login.php' script.

Nahuel Grisolia discovered two vulnerabilities in Egroupware, a web-based groupware suite: Missing input sanitising in the spellchecker integration may lead to the execution of arbitrary commands and a cross-site scripting vulnerability was discovered in the login page.

The version of eGroupWare hosted on the remote web server fails to sanitize user-supplied input to the 'aspell_path' and/or 'spellchecker_lang' parameters of the 'spellchecker.php' script before passing it to a shell.

An unauthenticated, remote attacker can leverage these issues to execute arbitrary commands subject to the privileges under which the web server operates.

Note that the install likely has a cross-site scripting vulnerability, although Nessus has not checked for this.

ID	Name	Product	Family	Severity
79963	GLSA-201412-10 : Multiple packages, Multiple vulnerabilities fixed in 2012	Nessus	Gentoo Local Security Checks	high
5365	eGroupWare < 1.6.003 Mutiple Vulnerabilities	Nessus Network Monitor	CGI	high
45055	Debian DSA-2013-1 : egroupware - several vulnerabilities	Nessus	Debian Local Security Checks	high
45023	eGroupWare spellchecker.php Arbitrary Shell Command Execution	Nessus	CGI abuses	high

Detections

Analytics

CVE-2010-3313

critical

Tenable Plugins

high

high

high

high