|
COMMAND SQL injection in PHPGroupware SYSTEMS AFFECTED PHPGroupware 0.9.12 PROBLEM Matthias Jordan said : PHPGroupware 0.9.12 (the current release version) is vulnerable to SQL injection. This enables each attacker who can access the login page of PHPGroupware to take over the database. This is true in particular for the Debian package phpgroupware (0.9.12-3.2) that has been tested. Example ======= Go to the login page of a PHPGroupware installation. Enter: fubar\'; CREATE TABLE thistableshouldnotexist (a int); -- Enter the whole line. Don\'t forget the \"\'\" after \"fubar\". The database used for PHPGroupware now has a new table. SOLUTION Patch Solution involving more work: upgrade to 0.9.14 RC2 Workarounds Fast pseudo-solution: Protect all phpgroupware directories on web server level - e.g. with a suitable .htaccess file so only trusted users have access to the login form and only those can destroy their own groupware app (which they hopefully don\'t want to). Further readings http://www.phpgroupware.org http://www.nextgenss.com/papers/advanced_sql_injection.pdf -Also- (Update 15 April 2002) Dan Kuykendall added : The problem is caused by a specific change to the standard PHP options by the debian packages. For some reason magic_quotes_gpc is set to Off in the /etc/phpgroupware/apache.conf If you change the two entries to On then the security hole disappears.