Listen to this Post
The vulnerability exploits a PHP type juggling issue in EGroupware’s Nextmatch widget filter processing. Authenticated users can send JSON payloads where numeric string keys, like “0”, are automatically converted to integers by PHP’s json_decode(). The application security relies on is_int() checks to trust array keys as raw SQL fragments. This conversion bypasses the check, allowing attacker-controlled values to be appended directly to SQL queries. The flaw resides in the column_data_implode method in Db.php and parse_search in Storage/Base.php. When processing col_filter arrays, is_int($key) returns true for the converted integer keys, mistaking malicious input for trusted SQL. Consequently, arbitrary SQL commands injected into the values are concatenated into the WHERE clause, leading to full database compromise through authenticated SQL injection.
Platform: EGroupware
Version: Not specified
Vulnerability: Authenticated SQL Injection
Severity: Critical
date: Unknown
Prediction: Patch date TBD
What Undercode Say:
Analytics:
python3 exploit.py http://target.com sysop password123
payload = "1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, (SUBSTRING(({sql}), {offset}, 30)), 0x7e))"
post_data = {"request": {"parameters": [eid, {"start": 0, "num_rows": 1}, {"col_filter": {"0": payload}}]}}
How Exploit:
Authenticated attacker sends JSON payload with numeric-keyed col_filter containing SQL injection, bypassing is_int() check via PHP type juggling, enabling error-based data exfiltration.
Protection from this CVE Impact:
Implement input whitelisting, use parameterized queries, enforce strict type checking. Impact: Database compromise, data loss, system integrity breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

