TUCoPS :: Web :: PHP
:: web5240.htm
PHPGroupware - SQL injection
4th Apr 2002 [SBWID-5240]
COMMAND
SQL injection in PHPGroupware
SYSTEMS AFFECTED
PHPGroupware 0.9.12
PROBLEM
Matthias Jordan said :
PHPGroupware 0.9.12 (the current release version) is vulnerable to SQL
injection. This enables each attacker who can access the login page of
PHPGroupware to take over the database. This is true in particular for
the Debian package phpgroupware (0.9.12-3.2) that has been tested.
Example
=======
Go to the login page of a PHPGroupware installation. Enter:
fubar\'; CREATE TABLE thistableshouldnotexist (a int); --
Enter the whole line. Don\'t forget the \"\'\" after \"fubar\". The
database used for PHPGroupware now has a new table.
SOLUTION
Patch
Solution involving more work: upgrade to 0.9.14 RC2
Workarounds
Fast pseudo-solution: Protect all phpgroupware directories on web
server level - e.g. with a suitable .htaccess file so only trusted
users have access to the login form and only those can destroy their
own groupware app (which they hopefully don\'t want to).
Further readings
http://www.phpgroupware.org
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
-Also- (Update 15 April 2002)
Dan Kuykendall added :
The problem is caused by a specific change to the standard PHP options
by the debian packages. For some reason magic_quotes_gpc is set to Off
in the /etc/phpgroupware/apache.conf
If you change the two entries to On then the security hole disappears.