OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthias Jordan (mjordancode-fu.de)
Date: Wed Apr 03 2002 - 08:08:36 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    + Preface

    PHPGroupware is a Groupware application written in PHP. It
    provides a framework of applications like calendar, ToDo list,
    notes, HR management, that come with PHPGroupware as well as an
    API to write new applications. All data is stored in an SQL
    database.

    + Problem

    PHPGroupware 0.9.12 (the current release version) is vulnerable
    to SQL injection. This enables each attacker who can access the
    login page of PHPGroupware to take over the database. This is
    true in particular for the Debian package phpgroupware
    (0.9.12-3.2) that has been tested.

    + Example

    Go to the login page of a PHPGroupware installation. Enter:

    fubar'; CREATE TABLE thistableshouldnotexist (a int); --

    Enter the whole line. Don't forget the "'" after "fubar". The
    database used for PHPGroupware now has a new table.

    + Vendor communication

    When Chris Anley published his SQL injection white paper on
    BugTraq a while ago I immediately tried PHPGroupware and found it
    vulnerable. I informed the developers via IRC and urged them to
    fix it. Several weeks, IRC sessions and one eMail later, I still
    haven't recieved any note that this bug has been fixed. They did
    say that they will fix it in the future. A new version is to be
    released in the next time but the PHPGW web page doesn't mention
    a projected release date. After the vendor has failed to make a
    binding statement about the next release for a really long period
    I posted this message.

    + Workarounds

    Fast pseudo-solution: Protect all phpgroupware directories on web
    server level - e.g. with a suitable .htaccess file so only
    trusted users have access to the login form and only those can
    destroy their own groupware app (which they hopefully don't want
    to).

    Solution involving more work: upgrade to 0.9.14 RC2. The problem
    seems to be fixed there, but neither is there a Debian package
    for it, yet, nor a statement that this bug has been fixed and to
    what extent nor is it a release version.

    + Further readings
    http://www.phpgroupware.org
    http://www.nextgenss.com/papers/advanced_sql_injection.pdf

    Matthias Jordan 

    -- 
- "I want peace on earth and good will toward man" - "We are the United
   States Government. We don't do that sort of thing." (Sneakers)