Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235052 (CVE-2006-1495) - www-apps/phpcollab: SQL / shell command / PHP code injection (CVE-2006-1495, CVE-2008-{4303,4304,4305})
Summary: www-apps/phpcollab: SQL / shell command / PHP code injection (CVE-2006-1495, ...
Status: RESOLVED FIXED
Alias: CVE-2006-1495
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.milw0rm.com/exploits/1617
Whiteboard: B1 [masked]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-17 23:18 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-21 19:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-17 23:18:53 UTC
CVE-2006-1495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1495):
  SQL injection vulnerability in general/sendpassword.php in (1) PHPCollab 2.4
  and 2.5.rc3, and (2) NetOffice 2.5.3-pl1 and 2.6.0b2 allows remote attackers
  to execute arbitrary SQL commands via the loginForm parameter in the
  "forgotten password" option.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-18 00:24:30 UTC
Re-reating as B1 as it indirectly allows for remote code execution.
I initially intended to hack up a quick patch, but well, after having a quick look at the code....
This thing should really be removed from the tree, because:
  * The SQL injection issue is not just present in general/sendpassword.php
    but almost *EVERYWHERE*
  * The admin panel allows for PHP code injection as demonstrated in $URL
    (requires admin privs which you can obtain by exploiting the SQL
    injection issue)
  * With register_globals=on it looks like it is possible to inject arbitrary
    shell code (general/login.php:28 using SSL_CLIENT_CERT)

Most of this also assumes magic_quotes_gpc=off. I only had a quick look at the code, so someone should maybe verify this...


I'm referring to the 2.4 (even stable on Gentoo/ppc) code base, but 2.5 has the same code and is vulnerable as well.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-18 00:46:28 UTC
I just verified that the mentioned issues are really exploitable... they are.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-18 01:04:21 UTC
Found yet another issue which allows for remote code execution. It doesn't depend on register_globals/magic_quotes_gpc either, so the default config should be considered vulnerable (forwarding exact exploit in private).

Time for p.mask + removal? :)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-18 10:55:27 UTC
I'd mask because of the state the code is in.
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-18 11:05:34 UTC
Upstream replied to my mail from tonight and said they'll look into it, but I doubt this can be fixed in a few days...
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-18 16:30:01 UTC
I privately mailed coley to get CVEs and asked upstream about the plans for a fixed version.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-25 23:13:36 UTC
+# Christian Hoffmann <hoffie@gentoo.org> (26 Aug 2008)
+# Masked for security, bug 235052; codebase seems to have lots of problems,
+# needs time to fix or final removing, see the referenced bug for progress
+www-apps/phpcollab

Let's see if upstream is able to provide a fix in the near future, haven't got any new responses (neither from upstream nor from coley).
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-06 20:11:41 UTC
(In reply to comment #7)
> Let's see if upstream is able to provide a fix in the near future, haven't got
> any new responses (neither from upstream nor from coley).
I'm usually not impatient with regards to email response times, but as we are talking about a security issue here and I have neither received a reply from upstream nor from coley, I've resent both mails with a short ping.
Comment 9 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-13 16:28:37 UTC
Yet another months gone (or even more) and still no reply, I wonder what makes our mails (Robert's and mine) not reach Coley...
Should we go without CVEs? Or maybe try vendor-sec?
Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 16:50:58 UTC
bressers gave us CVEs, mail to vendor-sec sent as well. Still no further upstream reaction.
Are we going to send a maskglsa soon? I think we should really give out some kind of advisory.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 20:05:18 UTC
request filed, let's add 2008-10-31 to the bug as removal date and get this here over with.
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2008-10-30 15:00:17 UTC
Issued last rites. Package will be removed in 30 days.
Comment 13 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-06 14:00:43 UTC
Security, we should really send a GLSA here, shouldn't we? And we are way overdue our timeline...
Comment 14 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-03 10:46:56 UTC
Ebuild removed. webapps done.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-21 19:27:33 UTC
GLSA 200812-20, sorry for the delay.