| VID |
21349 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpGroupWare installed on the Web server, according to its version number, has multiple Cross-Site Scripting Vulnerabilities.
Joseph Engo's phpGroupWare is a web based groupware system written in PHP that includes features, such as email, calendar, and to-do lists. Some versions prior to 0.9.14.005 of phpGroupWare are vulnerable to multiple Cross-Site Scripting vulnerabilities, caused by a lack of sufficient input validation performed on form fields used by PHPGroupWare modules. A remote attacker could create a specially crafted URL link containing malicious script, and then could persuade a target user to click it. Once the URL is clicked, the embedded codes would be executed in the victim's Web browser. A remote attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
* Note: This check solely relied on the version number of the remote phpGroupWare to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2003-07/0022.html
http://www.osvdb.org/displayvuln.php?osvdb_id=2243
* Platforms Affected:
phpGroupWare 0.9.14.003
phpGroupWare 0.9.13
phpGroupWare 0.9.12
Conectiva Linux 7.0, 8.0, 9.0
Debian Linux 3.0
Mandrake Linux 8.2, 9.0, 9.1, Corporate Server 2.1
Linux Any version
Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.14.005 or later), available from the phpGroupWare download site at http://prdownloads.sourceforge.net/phpgroupware/
For Conectiva Linux:
Upgrade to the latest phpgroupware package, as listed in the Conectiva Linux Security Announcement CLSA-2003:697 at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000697
For Mandrake Linux:
Upgrade to the latest phpgroupware package, as listed in the MandrakeSoft Security Advisory MDKSA-2003:077 at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:077
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of phpgroupware (0.9.14-0.RC3.2.woody2 or later), as listed in Debian Security Advisory DSA-365-1 at http://www.debian.org/security/2003/dsa-365
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0504 (CVE) |
| Related URL |
8088 (SecurityFocus) |
| Related URL |
12497 (ISS) |
|
