phpGroupWare SQL Injections and Local File Inclusion Vulnerabilities (CVE-2010-0403 and CVE-2010-0404)

2010-05-17T00:00:00
ID SECURITYVULNS:DOC:23871
Type securityvulns
Reporter Securityvulns
Modified 2010-05-17T00:00:00

Description

I. BACKGROUND

"phpGroupWare is a fully featured, web based messaging, collaboration and enterprise management platform. phpGroupWare comes with over 50 applications that can be mixed and matched according to your needs. Around the world tens of thousands of people use phpGroupWare every day." from phpgroupware.org

II. VULNERABILITIES

VUPEN Web Vulnerability Research Team discovered multiple vulnerabilities in phpGroupWare.

SQL Injections: Multiple input validation errors exist in the "class.sessions_db.inc.php", "class.translation_sql.inc.php", "class.sessions_db.inc.php" and "class.auth_sql.inc.php" scripts within the "phpgwapi/inc/" folder, which could allow SQL injection attacks.

Local File Inclusion: An input validation error exists in the "about.php" script when processing the "app" parameter, which could allow remote attackers to include local files with the privileges of the web server.

III. AFFECTED PRODUCTS

phpGroupWare version 0.9.16.015 and prior

IV. SOLUTION

Upgrade to phpGroupWare version 0.9.16.016

V. CREDIT

These vulnerabilities were discovered by VUPEN Security

VI. VUPEN Web Application Security Scanner (WASS)

VUPEN Web Application Security Scanner (WASS) is a SaaS web app. security scanning technology which enables corporations and organizations to identify, track and remediate security vulnerabilities affecting their web sites and web applications, prevent criminals from gaining unauthorized access to sensitive data, and comply with security requirements such as PCI.

VUPEN WASS is based on a proprietary technology developed by VUPEN security experts, and combines black-box (smart and automated) and grey-box (signature-based) scanning to accurately identify web vulnerabilities such as those in the OWASP Top 10 including SQL injection and cross-site scripting, but also real-world vulnerabilities such as shell command injection and file inclusion.

Read More: http://www.vupen.com/english/wass/

VII. REFERENCES

http://www.vupen.com/english/advisories/2010/1145 http://forums.phpgroupware.org/index.php?t=msg&th=98662&start=0&rid=0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0403

VIII. DISCLOSURE TIMELINE

2010-04-14 - Vendor notified 2010-04-21 - Vendor response 2010-05-14 - Coordinated public Disclosure