SQL injection vulnerability in general/sendpassword.php in (1) PHPCollab 2.4
and 2.5.rc3, and (2) NetOffice 2.5.3-pl1 and 2.6.0b2 allows remote attackers
to execute arbitrary SQL commands via the loginForm parameter in the
"forgotten password" option.
Re-reating as B1 as it indirectly allows for remote code execution.
I initially intended to hack up a quick patch, but well, after having a quick look at the code....
This thing should really be removed from the tree, because:
* The SQL injection issue is not just present in general/sendpassword.php
but almost *EVERYWHERE*
* The admin panel allows for PHP code injection as demonstrated in $URL
(requires admin privs which you can obtain by exploiting the SQL
* With register_globals=on it looks like it is possible to inject arbitrary
shell code (general/login.php:28 using SSL_CLIENT_CERT)
Most of this also assumes magic_quotes_gpc=off. I only had a quick look at the code, so someone should maybe verify this...
I'm referring to the 2.4 (even stable on Gentoo/ppc) code base, but 2.5 has the same code and is vulnerable as well.
I just verified that the mentioned issues are really exploitable... they are.
Found yet another issue which allows for remote code execution. It doesn't depend on register_globals/magic_quotes_gpc either, so the default config should be considered vulnerable (forwarding exact exploit in private).
Time for p.mask + removal? :)
I'd mask because of the state the code is in.
Upstream replied to my mail from tonight and said they'll look into it, but I doubt this can be fixed in a few days...
I privately mailed coley to get CVEs and asked upstream about the plans for a fixed version.
+# Christian Hoffmann <email@example.com> (26 Aug 2008)
+# Masked for security, bug 235052; codebase seems to have lots of problems,
+# needs time to fix or final removing, see the referenced bug for progress
Let's see if upstream is able to provide a fix in the near future, haven't got any new responses (neither from upstream nor from coley).
(In reply to comment #7)
> Let's see if upstream is able to provide a fix in the near future, haven't got
> any new responses (neither from upstream nor from coley).
I'm usually not impatient with regards to email response times, but as we are talking about a security issue here and I have neither received a reply from upstream nor from coley, I've resent both mails with a short ping.
Yet another months gone (or even more) and still no reply, I wonder what makes our mails (Robert's and mine) not reach Coley...
Should we go without CVEs? Or maybe try vendor-sec?
bressers gave us CVEs, mail to vendor-sec sent as well. Still no further upstream reaction.
Are we going to send a maskglsa soon? I think we should really give out some kind of advisory.
request filed, let's add 2008-10-31 to the bug as removal date and get this here over with.
Issued last rites. Package will be removed in 30 days.
Security, we should really send a GLSA here, shouldn't we? And we are way overdue our timeline...
Ebuild removed. webapps done.
GLSA 200812-20, sorry for the delay.