Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: web5240.htm

PHPGroupware - SQL injection
4th Apr 2002 [SBWID-5240]

	SQL injection in PHPGroupware


	PHPGroupware 0.9.12


	Matthias Jordan said :

	PHPGroupware 0.9.12 (the current release version) is vulnerable  to  SQL
	injection. This enables each attacker who can access the login  page  of
	PHPGroupware to take over the database. This is true in  particular  for
	the Debian package phpgroupware (0.9.12-3.2) that has been tested.




	Go to the login page of a PHPGroupware installation. Enter:

	fubar\'; CREATE TABLE thistableshouldnotexist (a int); --


	Enter the whole line. Don\'t forget  the  \"\'\"  after  \"fubar\".  The
	database used for PHPGroupware now has a new table.



	Solution involving more work: upgrade to 0.9.14 RC2


	Fast  pseudo-solution:  Protect  all  phpgroupware  directories  on  web
	server level - e.g. with a  suitable  .htaccess  file  so  only  trusted
	users have access to the login form and only  those  can  destroy  their
	own groupware app (which they hopefully don\'t want to).

	Further readings



	-Also- (Update 15 April 2002)

	Dan Kuykendall added :

	The problem is caused by a specific change to the standard  PHP  options
	by the debian packages. For some reason magic_quotes_gpc is set  to  Off
	in the /etc/phpgroupware/apache.conf

	If you change the two entries to On then the security hole disappears.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH