Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 433988 (CVE-2012-4240) - <www-apps/groupoffice-4.0.97: "sort" SQL Injection Vulnerability (CVE-2012-4240)
Summary: <www-apps/groupoffice-4.0.97: "sort" SQL Injection Vulnerability (CVE-2012-4240)
Status: RESOLVED FIXED
Alias: CVE-2012-4240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/49162/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-05 05:12 UTC by Agostino Sarubbo
Modified: 2013-10-07 10:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-05 05:12:11 UTC 
Description
ReactionIS has discovered a vulnerability in Group-Office, which can be exploited by malicious users to conduct SQL injection attacks.

Input passed via the "sort" parameter to modules/calendar/json.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injection arbitrary SQL code.

The vulnerability is confirmed in version 4.0.89. Other versions may also be affected.


Solution
Update to version 4.0.90.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2012-09-14 15:15:58 UTC 
I took the liberty to bump the package again. Straight copy worked in my local tests.
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-14 18:20:41 UTC 
(In reply to comment #1)
> I took the liberty to bump the package again. Straight copy worked in my
> local tests.

Since this is a non maintainer commit, we can wait a bit and go ahead. Thanks for bump it.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 03:38:29 UTC 
Arches, please test and stable =www-apps/groupoffice-4.0.97, target arch amd64. Thanks!
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-11 14:00:37 UTC 
amd64 stable
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 23:16:20 UTC 
GLSA vote: no.
Comment 6 Sergey Popov gentoo-dev 2013-10-07 10:07:00 UTC 
GLSA vote: no

Closing as noglsa