COMMAND
	SQL injection in PHPGroupware
SYSTEMS AFFECTED
	PHPGroupware 0.9.12
PROBLEM
	Matthias Jordan said :
	PHPGroupware 0.9.12 (the current release version) is vulnerable  to  SQL
	injection. This enables each attacker who can access the login  page  of
	PHPGroupware to take over the database. This is true in  particular  for
	the Debian package phpgroupware (0.9.12-3.2) that has been tested.
	 Example
	 =======
	Go to the login page of a PHPGroupware installation. Enter:
	
	fubar'; CREATE TABLE thistableshouldnotexist (a int); --
	
	Enter the whole line. Don't forget the "'" after "fubar".  The  database
	used for PHPGroupware now has a new table.
SOLUTION
	Patch
	Solution involving more work: upgrade to 0.9.14 RC2
	Workarounds
	Fast  pseudo-solution:  Protect  all  phpgroupware  directories  on  web
	server level - e.g. with a  suitable  .htaccess  file  so  only  trusted
	users have access to the login form and only  those  can  destroy  their
	own groupware app (which they hopefully don't want to).
	Further readings
	
	http://www.phpgroupware.org
	http://www.nextgenss.com/papers/advanced_sql_injection.pdf
	
	-Also- (Update 15 April 2002)
	Dan Kuykendall added :
	The problem is caused by a specific change to the standard  PHP  options
	by the debian packages. For some reason magic_quotes_gpc is set  to  Off
	in the /etc/phpgroupware/apache.conf
	If you change the two entries to On then the security hole disappears.