PHPGroupware is a Groupware application written in PHP. It provides a framework of applications like calendar, ToDo list, notes, HR management, that come with PHPGroupware as well as an API to write new applications. All data is stored in an SQL database.
PHPGroupware 0.9.12 (the current release version) is vulnerable to SQL injection. This enables each attacker who can access the login page of PHPGroupware to take over the database. This is true in particular for the Debian package phpgroupware (0.9.12-3.2) that has been tested.
Go to the login page of a PHPGroupware installation. Enter:
fubar'; CREATE TABLE thistableshouldnotexist (a int); --
Enter the whole line. Don't forget the "'" after "fubar". The database used for PHPGroupware now has a new table.
When Chris Anley published his SQL injection white paper on BugTraq a while ago I immediately tried PHPGroupware and found it vulnerable. I informed the developers via IRC and urged them to fix it. Several weeks, IRC sessions and one eMail later, I still haven't recieved any note that this bug has been fixed. They did say that they will fix it in the future. A new version is to be released in the next time but the PHPGW web page doesn't mention a projected release date. After the vendor has failed to make a binding statement about the next release for a really long period I posted this message.
Fast pseudo-solution: Protect all phpgroupware directories on web server level - e.g. with a suitable .htaccess file so only trusted users have access to the login form and only those can destroy their own groupware app (which they hopefully don't want to).
Solution involving more work: upgrade to 0.9.14 RC2. The problem seems to be fixed there, but neither is there a Debian package for it, yet, nor a statement that this bug has been fixed and to what extent nor is it a release version.
-- - "I want peace on earth and good will toward man" - "We are the United States Government. We don't do that sort of thing." (Sneakers)