SQL injection in PHPGroupware

From: Matthias Jordan (mjordan@code-fu.de)
Date: Wed Apr 03 2002 - 06:08:36 PST

Next message: fozzyat_private: "Re: Bypassing javascript filters - problem N3."

Previous message: Neeko Oni: "Icecast temp patch (OR: Patches? We DO need stinkin' patches!!@$!)"
Next in thread: Adam McKenna: "Re: SQL injection in PHPGroupware"
Reply: Adam McKenna: "Re: SQL injection in PHPGroupware"
Reply: Dan Kuykendall: "Re: SQL injection in PHPGroupware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+ Preface

PHPGroupware is a Groupware application written in PHP. It
provides a framework of applications like calendar, ToDo list,
notes, HR management, that come with PHPGroupware as well as an
API to write new applications. All data is stored in an SQL
database.



+ Problem

PHPGroupware 0.9.12 (the current release version) is vulnerable
to SQL injection. This enables each attacker who can access the
login page of PHPGroupware to take over the database. This is
true in particular for the Debian package phpgroupware
(0.9.12-3.2) that has been tested.



+ Example

Go to the login page of a PHPGroupware installation. Enter:

fubar'; CREATE TABLE thistableshouldnotexist (a int); --

Enter the whole line. Don't forget the "'" after "fubar". The
database used for PHPGroupware now has a new table.



+ Vendor communication

When Chris Anley published his SQL injection white paper on
BugTraq a while ago I immediately tried PHPGroupware and found it
vulnerable. I informed the developers via IRC and urged them to
fix it. Several weeks, IRC sessions and one eMail later, I still
haven't recieved any note that this bug has been fixed. They did
say that they will fix it in the future. A new version is to be
released in the next time but the PHPGW web page doesn't mention
a projected release date. After the vendor has failed to make a
binding statement about the next release for a really long period
I posted this message.



+ Workarounds

Fast pseudo-solution: Protect all phpgroupware directories on web
server level - e.g. with a suitable .htaccess file so only
trusted users have access to the login form and only those can
destroy their own groupware app (which they hopefully don't want
to).

Solution involving more work: upgrade to 0.9.14 RC2. The problem
seems to be fixed there, but neither is there a Debian package
for it, yet, nor a statement that this bug has been fixed and to
what extent nor is it a release version.


+ Further readings
http://www.phpgroupware.org
http://www.nextgenss.com/papers/advanced_sql_injection.pdf



Matthias Jordan

-- 
- "I want peace on earth and good will toward man" - "We are the United
   States Government. We don't do that sort of thing." (Sneakers)

Next message: fozzyat_private: "Re: Bypassing javascript filters - problem N3."
Previous message: Neeko Oni: "Icecast temp patch (OR: Patches? We DO need stinkin' patches!!@$!)"
Next in thread: Adam McKenna: "Re: SQL injection in PHPGroupware"
Reply: Adam McKenna: "Re: SQL injection in PHPGroupware"
Reply: Dan Kuykendall: "Re: SQL injection in PHPGroupware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 16:42:10 PST