security advisory - 2009-march-23


WebCit is a middleware application which provides a web based user interface for the Citadel groupware system. More information may be found at the project's site at the following URL:


WebCit uses a weak encoding for remote provided data to build up a local string. Exploitation of a format string vulnerability could allow a remote attacker to perform an unauthorized privilege escalation.

III. DETECTION has confirmed the existence of this vulnerability in version 7.22 of WebCit. Other components of the Citadel system are not affected.


If you are unable to upgrade your system to a non-vulnerable version of WebCit at this time, you may also choose to block access to the following URL's using your site's existing edge security tools:



This will prohibit remote exploit of this vulnerability, at the expense of reduced functionality of the program.

V. VENDOR RESPONSE has confirmed that this vulnerability has been fixed.

If you are using source code downloads, please upgrade to version 7.39 (or later).

If you are using the Easy Install system or the VMware appliance, please run a normal update in order to receive the patch.

If you are using Debian or Ubuntu packages, please upgrade to version 7.38-37 (or later).

Please be advised that you may also be required to upgrade the Citadel server in order to maintain compatibility with a new version of WebCit.


2009-02-13 - discovery of vulnerability

2009-02-13 - fix implemented

2009-03-23 - coordinated public disclosure


This vulnerability was discovered internally by Wilfried Goesgens and patched prior to disclosure.


Copyright ©

Permission is granted for unlimited redistribution of this alert. The information in this advisory is believed to be accurate at the time of publishing based on currently available information, and is provided “as is” with no warranties as to its accuracy or applicability. The publisher does not accept liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.