Re: SQL injection in PHPGroupware

[Dan Kuykendall <dan () kuykendall org>]

In-Reply-To: <17122201257.20020403160836 () code-fu de>

The problem is caused by a specific change to the 
standard PHP options by the debian packages. For 
some reason magic_quotes_gpc is set to Off in the 
/etc/phpgroupware/apache.conf

If you change the two entries to On then the 
security hole disappears.

This IS NOT a phpGroupWare security hole per se, 
its a problem with a config setting that we rely 
on from PHP.

We are currently looking at restructuring a few 
areas to take over what magic_quotes_gpc does so 
that we can be safe when it is turned off. That 
will likely show up in 0.9.16 since 0.9.14 is 
probably going to be released soon and wont have 
time to be retrofitted.

Seek3r
phpGroupWare Spokesperson