| VID |
21348 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpGroupWare installed on the Web server, according to its version number, has a Calendar Module Server Side Script Execution Vulnerability.
Joseph Engo's phpGroupWare is a web based groupware system written in PHP that includes features, such as email, calendar, and to-do lists. Some versions prior to 0.9.14.007 of phpGroupWare could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the calendar module. A remote attacker could place a malicious code on a remote Web server with a specially-crafted holiday file, allowing the attacker to execute arbitrary malicious script code on the visitors system with privileges of the Web server.
* Note: This check solely relied on the version number of the remote phpGroupWare to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/6860
http://www.debian.org/security/2004/dsa-419
* Platforms Affected:
Joseph Engo: phpGroupWare 0.9.14.006, 0.9.14.005, 0.9.14.003
Joseph Engo: phpGroupWare 0.9.13
Joseph Engo: phpGroupWare 0.9.12
Linux Any version
Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.14.007 or later), available from the phpGroupWare download site at http://prdownloads.sourceforge.net/phpgroupware/
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of phpgroupware (0.9.14-0.RC3.2.woody3 or later), as listed in Debian Security Advisory DSA-419-1 at http://www.debian.org/security/2004/dsa-419
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0016 (CVE) |
| Related URL |
9387 (SecurityFocus) |
| Related URL |
13489 (ISS) |
|
