PHProjekt 5.2.0 - SQL Injection

Credit: Alexios Fakos
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

n.runs AG security at n.runs-SA-2007.003 14-Mar-2007 ________________________________________________________________________ Vendor: Mayflower GmbH, Affected Products: PHProjekt 5.2.0 Vulnerability: SQL Injection Risk: HIGH ________________________________________________________________________ Vendor communication: 2006/12/31 initial notification of Mayflower 2007/01/02 Mayflower Response 2007/01/02 PGP keys exchange 2007/01/02 PoCs sent to Mayflower 2007/01/11 Mayflower confirmed the bugs 2007/01/30 Mayflower fixed the bugs and sends RC1 2007/01/30 n.runs informs Mayflower about a persisting XSS vulnerability 2007/02/02 Mayflower confirmed the bug 2007/02/08 Mayflower fixed the bugs and sends RC2 2007/02/12 n.runs informs Mayflower about a persisting XSS vulnerability 2007/02/15 Mayflower confirmed the bug 2007/02/20 Mayflower fixed the bug and sends RC3 2007/02/21 n.runs verifies RC3 and reported a possible flaw within the new XSS protection library 2007/03/14 PHProjekt 5.2.1 available 2007/03/14 Coordinated disclosure ________________________________________________________________________ Overview: Quoting "PHProjekt is a modular application for the coordination of group activities and to share informations and document via the web. Components of PHProjekt: Group calendar, project management, time card system, file management, contact manager, mail client and many other modules. PHProjekt supports many protocols like ldap, xml/soap and webdav and is available for 38 languages and 9 databases." Description: Multiple vulnerabilities have been found within different modules. In detail, the following flaws were determined during a quick source code review for the modules Projects, Contacts, Helpdesk, Notes, Search and Mail. During the validation the php.ini setting "magic_quotes_gpc" was deactivated. a) The application suffers from a classical SQL Injection vulnerability in the calendar module. b) A Blind SQL Injection can be triggered within the search module. c) Furthermore it is possible to manipulate a cookie value, resulting in another Blind SQL Injection when the user logs out. Remarks ------- There may be other modules which are affected, but they have not been subject to review at this point. Solution: The vulnerabilities were reported on Dec 31 2006 and an update has been released on Mar 14 2007. ________________________________________________________________________ Credit: Bugs found by Alexios Fakos of n.runs AG. ________________________________________________________________________ References: ________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security (at) nruns (dot) com [email concealed] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top