Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » PHPGroupware Login SQL Command Execution Vulnerability

PHPGroupware Login SQL Command Execution Vulnerability

by Nikola Strahija on April 5th, 2002 PHPGroupware does not properly handle data from the login field. Due to insufficent checking of input, it is possible for a user to embed SQL commands. By using special characters, it is possible for a remote user to pass commands through the login field that will be executed in the database.


Additionally, this issue may also enable an attacker to exploit vulnerabilities that may exist in the underlying database.

Remote: Yes

Exploit: No exploit is required for this vulnerability. The following proof of concept has been supplied by Matthias Jordan :

fubar'; CREATE TABLE thistableshouldnotexist (a int); --




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »