SOGo SQL Injection Vulnerability in Password Change Function

A SQL injection vulnerability has been identified in SOGo versions prior to 5.12.7, when using PostgreSQL or MariaDB databases that store passwords in cleartext. The issue arises in the 'changePasswordForLogin' function, where user input is not properly sanitized before being used in SQL queries, allowing for potential manipulation of the SQL command executed by the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, first ensure that SOGo is running a version prior to 5.12.7 and that either PostgreSQL or MariaDB is being used with passwords stored in cleartext. Then, initiate a password change for a user account. The 'changePasswordForLogin' function will be called, using the unescaped password input in an SQL update query. This creates an opportunity to inject malicious SQL code.

Remediation

Users should update SOGo to version 5.12.7 or later. Instructions for updating can be found in the SOGo documentation.