SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpGroupWare Vendors:   phpGroupWare.org
phpGroupWare Input Validation Flaw Lets Remote Users Execute Arbitrary SQL Queries and Take Control of the Underlying Database
SecurityTracker Alert ID:  1003965
SecurityTracker URL:  http://securitytracker.com/id/1003965
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2002
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.12, 0.9.12-3.2
Description:   A vulnerability was reported in phpGroupWare. A remote user can inject SQL queries and take control of the database.

It is reported that a remote user can create SQL queries to take control of the database.

For example, a remote user can go to the login page of a phpGroupWare installation and enter the following line to create a new table for the phpGroupWare database:

fubar'; CREATE TABLE thistableshouldnotexist (a int); --

Impact:   A remote user can inject arbitrary SQL commands and take full control of the underlying SQL database.
Solution:   The vendor has reportedly confirmed the vulnerability and indicated that a fix will be developed in the future.

The author of the report has provided the following workarounds:

"Protect all phpgroupware directories on web server level - e.g. with a suitable .htaccess file so only trusted users have access to the login form and only those can destroy their own groupware app (which they hopefully don't want to)."

"Upgrade to 0.9.14 RC2. The problem seems to be fixed there, but neither is there a Debian package for it, yet, nor a statement that this bug has been fixed and to what extent nor is it a release version."

Vendor URL:  www.phpgroupware.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  SQL injection in PHPGroupware


+ Preface

PHPGroupware is a Groupware application written in PHP. It
provides a framework of applications like calendar, ToDo list,
notes, HR management, that come with PHPGroupware as well as an
API to write new applications. All data is stored in an SQL
database.



+ Problem

PHPGroupware 0.9.12 (the current release version) is vulnerable
to SQL injection. This enables each attacker who can access the
login page of PHPGroupware to take over the database. This is
true in particular for the Debian package phpgroupware
(0.9.12-3.2) that has been tested.



+ Example

Go to the login page of a PHPGroupware installation. Enter:

fubar'; CREATE TABLE thistableshouldnotexist (a int); --

Enter the whole line. Don't forget the "'" after "fubar". The
database used for PHPGroupware now has a new table.



+ Vendor communication

When Chris Anley published his SQL injection white paper on
BugTraq a while ago I immediately tried PHPGroupware and found it
vulnerable. I informed the developers via IRC and urged them to
fix it. Several weeks, IRC sessions and one eMail later, I still
haven't recieved any note that this bug has been fixed. They did
say that they will fix it in the future. A new version is to be
released in the next time but the PHPGW web page doesn't mention
a projected release date. After the vendor has failed to make a
binding statement about the next release for a really long period
I posted this message.



+ Workarounds

Fast pseudo-solution: Protect all phpgroupware directories on web
server level - e.g. with a suitable .htaccess file so only
trusted users have access to the login form and only those can
destroy their own groupware app (which they hopefully don't want
to).

Solution involving more work: upgrade to 0.9.14 RC2. The problem
seems to be fixed there, but neither is there a Debian package
for it, yet, nor a statement that this bug has been fixed and to
what extent nor is it a release version.


+ Further readings
http://www.phpgroupware.org
http://www.nextgenss.com/papers/advanced_sql_injection.pdf



Matthias Jordan

-- 
- "I want peace on earth and good will toward man" - "We are the United
   States Government. We don't do that sort of thing." (Sneakers)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC