TUCoPS :: Web :: Wiki, Collaborationware :: c07-2648.htm

n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection
n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection
n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection

n.runs AG
http://www.nruns.com/ security at nruns.com 
n.runs-SA-2007.003                                           14-Mar-2007

Vendor: Mayflower GmbH, http://www.mayflower.de 
Affected Products:     PHProjekt 5.2.0
Vulnerability:         SQL Injection
Risk:                  HIGH


Vendor communication:

  2006/12/31        initial notification of Mayflower
  2007/01/02        Mayflower Response
  2007/01/02        PGP keys exchange
  2007/01/02        PoCs sent to Mayflower
  2007/01/11        Mayflower confirmed the bugs
  2007/01/30        Mayflower fixed the bugs and sends RC1
  2007/01/30        n.runs informs Mayflower about a persisting XSS 
  2007/02/02        Mayflower confirmed the bug
  2007/02/08        Mayflower fixed the bugs and sends RC2   
  2007/02/12        n.runs informs Mayflower about a persisting XSS
  2007/02/15        Mayflower confirmed the bug
  2007/02/20        Mayflower fixed the bug and sends RC3
  2007/02/21        n.runs verifies RC3 and reported a possible flaw
                    within the new XSS protection library
  2007/03/14        PHProjekt 5.2.1 available
  2007/03/14        Coordinated disclosure


Quoting http://www.phprojekt.com/features.php?&newlang=eng 
"PHProjekt is a modular application for the coordination of group 
activities and to share informations and document via the web.
Components of PHProjekt: Group calendar, project management, time card 
system, file management, contact manager, mail client and many other 
PHProjekt supports many protocols like ldap, xml/soap and webdav and 
is available for 38 languages and 9 databases."

Multiple vulnerabilities have been found within different modules.
In detail, the following flaws were determined during a quick source 
code review for the modules Projects, Contacts, Helpdesk, Notes, Search
and Mail. 
During the validation the php.ini setting "magic_quotes_gpc" was 

a) The application suffers from a classical SQL Injection vulnerability 
   in the calendar module. 
b) A Blind SQL Injection can be triggered within the search module.
c) Furthermore it is possible to manipulate a cookie value, resulting in 
   another Blind SQL Injection when the user logs out.

There may be other modules which are affected, but they have not been 
subject to review at this point. 

The vulnerabilities were reported on Dec 31 2006 and an update has 
been released on Mar 14 2007.

Bugs found by Alexios Fakos of n.runs AG. 


Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact 
security@nruns.com for permission. Use of the advisory constitutes 
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of 
such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH