-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20090413)
Date: 13th April 2009
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Groupware 1.2.7 <http://nullwebmail.sourceforge.net/groupware/>
Vendor: NullLogic (Dan Cahill) <http://nullwebmail.sourceforge.net/>
Risk: High

Summary

This advisory comes in 3 related parts:

1) Groupware supports a number of database servers including SQLite
and MySQL.  During configuration, it is setup to use these for the storage
of data including credentials.  The functions which access the configured
database do not sanitise all input satisfactorily.  This can lead to SQL
injection allowing compromise of the Groupware server.

2) Groupware includes fully featured forum which is available to authenticated
users.  The functions called by the web application when this is accessed do not
validate all input satisfactorily.  It is possible to supply malformed data as
one of the parameters which causes an exception allowing a denial of service
condition to be affected.

3) When Groupware is configured to use the PostgreSQL database server
backend, a programming error within the database functions of the POP3, SMTP and
web components of Groupware may allow longer than expected strings to be written
to the stack.  This could lead to a stack overflow allowing compromise of the
Groupware server.

Technical Details

1) Groupware typically calls the sql_queryf function when talking to the
database server.  As with printf and friends, this takes a C format string and
other parameters specific to the operation and constructs an SQL query which
is then passed to the appropriate database function.  For example, from the
Groupware web application (which is typically found on port 4110), the user
is presented with a login page.  When an attempt is made to login,
queries are generated by the auth_checkpass function as follows:

if ((sqr=sql_queryf(sid, "SELECT userid, password FROM gw_users WHERE username = '%s' and enabled > 0", sid->dat->user_username))<0) {

Since we can control the value of sid->dat->user_username from the username
parameter of requests to the login page we can influence the actual SQL query
which is executed by the database server which is insufficiently sanitised. Note
that a significant percentage of all database calls are susceptible as described.

2) The Groupware web application's forum module takes a parameter to
select the forum that the user wishes to access.  The parameter is incorrectly
validated leading to an exception being thrown when the fmessagelist
function is passed with a forum parameter of either an empty or a non-numeric
string.

3) Consider the following function which is called when Groupware is configured to
use a PostgreSQL database server:

int pgsqlQuery(CONN *sid, int sqr, char *sqlquery)
{
  ...
  char query[8192];
  ...
  memset(query, 0, sizeof(query));
  snprintf(query, sizeof(query)-1, "DECLARE myportal CURSOR FOR ");
  strncat(query, sqlquery, sizeof(query));
  ...
}

As you can see, it allocates a 8192 byte buffer for query on the stack and
proceeds to construct an SQL query.  The problem lies in that it starts the
string construction with a fixed length string of 28 bytes before concatenating
up to 8192 bytes (the size of query previously allocated on the stack.  The total
amount of data written to the stack (8220 bytes) is therefore greater than that
which was initially allocated. In theory this could lead to the previous
functions base pointer (%ebp) and return address (%eip) being blown away if a
the value of sqlquery passed is longer than 8163 bytes.  Note this code can be
found in a number of locations within the Groupware source.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.  The developer was contacted on Monday, 13th April 2009
but no response was forthcoming.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJKUUP2AAoJEPJhpTVyySo7+iUP/R7tvEdxYBLlOv42ht2ef34a
BgGPDjFs+1fVkLTpducaQrh+UTBZ32bQUDaesyQ2TQ2kzQ0MvP5iGTk6cMVQe3Wk
e1xF6R+8jbVMqX2oFSOFa7FzDDr8GotRG+eNgEEFARVuPdyFWB/lBZw0pNW0gMfN
wV5sbFN5lubObmtBt03AkpFj9vFsv9N5HN0dRKyk4HoshalYsr2l3Z++LZB0PTsM
q/Do8q5CRw5D+5cRXdZmsWEP5I1NMCFnhyjgSxrM8agq1C5znQSwdQFyng41oeY+
jEIyOx8uGtqLtOMQ+DEsp0iyejbxcQnmJNv1Uko4wh34h1UNfZ3Buh1TbmqLbzBZ
KzOA91MY4kZB2meyZqm5FEjlBtXblyIlaWve8bgcm5tu/7yw51g4GxkMvrFYZvfP
/6F7U9rJ2+2NK/zCSlDfkn03aIPoduQUC2iZWoS/Q5XlEXCz6jOkO/oHqKk8S2sl
4H1ewt+z5+b/zmC7VROcuavI6e9TCYpsw9tuAFV0UiJVlTi8iO16SfpmfrG9RwYE
ddjg71bBRvdUO/AYxBvDLHV+yiSZ1jVBpHOgPunBzedI7uBFIyVWy9qpUqVMtBsu
OgjNQ0jmreQ8bjxAr8J5oSjkdTmnQO7KCGntTHGXxdR77SeYPI+/FOHXZ5OqXJmu
KC/vBPrQL8LBvzOf79LQ
=X7sF
-----END PGP SIGNATURE-----