Security in EGroupware 14.1

EGroupware already implemented highest security measures, eg. passwords are encrypted by default using blowfish algorithm. So even if someone managed to break into your server and stole the database, your passwords are save!

With 14.1 we improved security even further, and implemented two security measures not to be found in comparable products.

Content Security Policy: ultimate measure against cross site scripting
Cross site scripting (XSS) is probably the biggest thread to web applications. It is caused by malicious users sneaking javascript commands into content they enter. If that content is output again from server browser has no way to distinguish between wanted inline javascript in html markup (e.g. onclick attribute of a button) and insufficient escaped user content.

EGroupware was already quite save in that regard due to it’s innovative eTemplate engine rendering our user interface. Thought there are more ways then pure user input to generate XSS.

Content Security Policy (CSP) to the rescue: W3C defined a couple of years ago a means to tell browsers to NOT execute any inline javascript or to load javascript files from untrusted sources. Good news it is supported now by all current browsers, but Internet Explorer.

So why is not everyone using it? Typical web applications use eg. onclick attributes to connect buttons with there actions or inline javascript blocks to define dynamic content. It is a huge effort to change that.

All major EGroupware applications use our new developed eTemplate2 engine to generate their user interface. This engine was completely new designed over last three years and one of its goals was to eliminate any inline javascript. eTemplate2, a new client-side API and extensive changes in main EGroupware applications, as well as template code for overall look and feel allowed us to use CSP to forbid browser to execute any inline javascript.

Old applications can still run using inline javascript by telling EGroupware framework they need that. These applications run either in an iframe or popup to minimize their ability to interfere with already modernized eTemplate2 apps. The same is true for apps using embed rich text via CKeditor, which is, in spite our efforts to convince its makers, not able to run without inline javascript.

Mail passwords in 14.1: stored now in their own password safe
To be able to authenticate to an arbitrary IMAP or SMTP server one needs a username and a cleartext / unencrypted password.

Previous EGroupware versions already allowed to use users login password, which is not stored anywhere permanent on the system. This required a mail server integrated with EGroupware eg. via LDAP.

New written mail app in 14.1 brings not only user experience to a new level, it also improves security by safely storing mail passwords encrypted with users login password. This means, together with up to date secured passwords mentioned above, that a stolen database is not revealing your passwords!

You might ask what happens if user changes his password. If that is done from within EGroupware, passwords get automatic decrypted with old password given by user and re-encrypted with the new one. If an admin resets a password, he will not get access to users (private) mails!

EGroupwares new security features outlined above, our automatic and prompt security updates via package manager of your Linux distribution or Stylite AG’s specialized EGroupware and email hosting recommend it as safe alternative for your groupware or team organization needs.

Our hosting offers state of the art encrypted connectivity with perfect forward secrecy (intercepted communication can not be encrypted with later acquired keys) from web access, to incoming and outgoing mails. All our servers are within Germany under our full control. They use only latest software versions and are permanently updated. Security relevant incidents like recent Heartbleed bug were mitigated within hours!

Ralf Becker

Director Software Development