COMMAND

	SQL injection in PHPGroupware

SYSTEMS AFFECTED

	PHPGroupware 0.9.12

PROBLEM

	Matthias Jordan said :
	

	PHPGroupware 0.9.12 (the current release version) is vulnerable  to  SQL
	injection. This enables each attacker who can access the login  page  of
	PHPGroupware to take over the database. This is true in  particular  for
	the Debian package phpgroupware (0.9.12-3.2) that has been tested.
	

	 Example

	 =======

	

	Go to the login page of a PHPGroupware installation. Enter:
	

	fubar\'; CREATE TABLE thistableshouldnotexist (a int); --

	

	Enter the whole line. Don\'t forget  the  \"\'\"  after  \"fubar\".  The
	database used for PHPGroupware now has a new table.

SOLUTION

	Patch
	

	Solution involving more work: upgrade to 0.9.14 RC2
	

	Workarounds
	

	Fast  pseudo-solution:  Protect  all  phpgroupware  directories  on  web
	server level - e.g. with a  suitable  .htaccess  file  so  only  trusted
	users have access to the login form and only  those  can  destroy  their
	own groupware app (which they hopefully don\'t want to).
	

	Further readings
	

	http://www.phpgroupware.org

	http://www.nextgenss.com/papers/advanced_sql_injection.pdf

	

	

	-Also- (Update 15 April 2002)
	

	Dan Kuykendall added :
	

	The problem is caused by a specific change to the standard  PHP  options
	by the debian packages. For some reason magic_quotes_gpc is set  to  Off
	in the /etc/phpgroupware/apache.conf
	

	If you change the two entries to On then the security hole disappears.