| VID |
21350 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpGroupWare installed on the Web server, according to its version number, allows to disclose Plaintext Cookie Authentication Credentials Information.
Joseph Engo's phpGroupWare is a web based groupware system written in PHP that includes features, such as email, calendar, and to-do lists. Some versions of phpGroupWare could allow to disclose Plaintext Cookie Authentication Credentials Information, caused by a flaw that the application sets header admin and setup passwords as plaintext cookies. If the web administration of phpGroupWare is not conducted over an encrypted link, an attacker with the ability to sniff network traffic could easily retrieve these passwords. This may aid the attacker in further system compromise.
* Note: This check solely relied on the version number of the remote phpGroupWare to assess this vulnerability, so this might be a false positive.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=8354
* Platforms Affected:
Joseph Engo: phpGroupWare 0.9.14.007, 0.9.14.006, 0.9.14.005, 0.9.14.003
Joseph Engo: phpGroupWare 0.9.16.000, 0.9.16.001
Joseph Engo: phpGroupWare 0.9.13
Joseph Engo: phpGroupWare 0.9.12
Debian Linux 2.2
Conectiva Linux 7.0, 8.0, 9.0
Linux Any version
Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.16.002 or later), available from the phpGroupWare download site at http://prdownloads.sourceforge.net/phpgroupware/ |
| Related URL |
CVE-2004-2578 (CVE) |
| Related URL |
10895 (SecurityFocus) |
| Related URL |
16970 (ISS) |
|
