| VID |
21347 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpGroupWare installed on the Web server, according to its version number, has a Remote File Include Vulnerability.
Joseph Engo's phpGroupWare is a web based groupware system written in PHP that includes features, such as email, calendar, and to-do lists. Some versions prior to 0.9.14.006 of phpGroupWare could permit remote attackers to include and execute malicious PHP scripts, caused by improper validating various 'Addressbook' variables upon submission to the 'index.php' script. A remote attacker could use this vulnerability to cause arbitrary PHP code to be executed in the target's Web browser within the context of the web server.
* Note: This check solely relied on the version number of the remote phpGroupWare to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=2243
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0032.html
* Platforms Affected:
Joseph Engo: phpGroupWare 0.9.14.005, 0.9.14.003
Joseph Engo: phpGroupWare 0.9.12
Joseph Engo: phpGroupWare 0.9.13
Linux Any version
Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.14 .006 or later), available from the phpGroupWare download site at http://prdownloads.sourceforge.net/phpgroupware/ |
| Related URL |
CVE-2003-0504 (CVE) |
| Related URL |
8265 (SecurityFocus) |
| Related URL |
12497 (ISS) |
|
