CVE-2006-1495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1495): SQL injection vulnerability in general/sendpassword.php in (1) PHPCollab 2.4 and 2.5.rc3, and (2) NetOffice 2.5.3-pl1 and 2.6.0b2 allows remote attackers to execute arbitrary SQL commands via the loginForm parameter in the "forgotten password" option.
Re-reating as B1 as it indirectly allows for remote code execution. I initially intended to hack up a quick patch, but well, after having a quick look at the code.... This thing should really be removed from the tree, because: * The SQL injection issue is not just present in general/sendpassword.php but almost *EVERYWHERE* * The admin panel allows for PHP code injection as demonstrated in $URL (requires admin privs which you can obtain by exploiting the SQL injection issue) * With register_globals=on it looks like it is possible to inject arbitrary shell code (general/login.php:28 using SSL_CLIENT_CERT) Most of this also assumes magic_quotes_gpc=off. I only had a quick look at the code, so someone should maybe verify this... I'm referring to the 2.4 (even stable on Gentoo/ppc) code base, but 2.5 has the same code and is vulnerable as well.
I just verified that the mentioned issues are really exploitable... they are.
Found yet another issue which allows for remote code execution. It doesn't depend on register_globals/magic_quotes_gpc either, so the default config should be considered vulnerable (forwarding exact exploit in private). Time for p.mask + removal? :)
I'd mask because of the state the code is in.
Upstream replied to my mail from tonight and said they'll look into it, but I doubt this can be fixed in a few days...
I privately mailed coley to get CVEs and asked upstream about the plans for a fixed version.
+# Christian Hoffmann <hoffie@gentoo.org> (26 Aug 2008) +# Masked for security, bug 235052; codebase seems to have lots of problems, +# needs time to fix or final removing, see the referenced bug for progress +www-apps/phpcollab Let's see if upstream is able to provide a fix in the near future, haven't got any new responses (neither from upstream nor from coley).
(In reply to comment #7) > Let's see if upstream is able to provide a fix in the near future, haven't got > any new responses (neither from upstream nor from coley). I'm usually not impatient with regards to email response times, but as we are talking about a security issue here and I have neither received a reply from upstream nor from coley, I've resent both mails with a short ping.
Yet another months gone (or even more) and still no reply, I wonder what makes our mails (Robert's and mine) not reach Coley... Should we go without CVEs? Or maybe try vendor-sec?
bressers gave us CVEs, mail to vendor-sec sent as well. Still no further upstream reaction. Are we going to send a maskglsa soon? I think we should really give out some kind of advisory.
request filed, let's add 2008-10-31 to the bug as removal date and get this here over with.
Issued last rites. Package will be removed in 30 days.
Security, we should really send a GLSA here, shouldn't we? And we are way overdue our timeline...
Ebuild removed. webapps done.
GLSA 200812-20, sorry for the delay.