| VID |
21351 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpGroupWare installed on the Web server, according to its version number, has multiple SQL Injection Vulnerabilities.
Joseph Engo's phpGroupWare is a web based groupware system written in PHP that includes features, such as email, calendar, and to-do lists. Some versions prior to 0..9.14.007 of phpGroupWare are vulnerable to multiple SQL injection vulnerabilities in the 'calendar' or 'infolog' modules, caused by insufficient sanitization of user-supplied data. By passing malicious SQL commands to the 'calendar' or 'infolog' modules, a remote attacker could perform unauthorized database operations, such as add, modify, or delete information in the backend database.
* Note: This check solely relied on the version number of the remote phpGroupWare to assess this vulnerability, so this might be a false positive.
* References:
http://www.debian.org/security/2004/dsa-419
http://www.osvdb.org/displayvuln.php?osvdb_id=2691
http://www.osvdb.org/displayvuln.php?osvdb_id=6857
* Platforms Affected:
Joseph Engo: phpGroupWare 0.9.14.006, 0.9.14.005, 0.9.14.003
Joseph Engo: phpGroupWare 0.9.12
Joseph Engo: phpGroupWare 0.9.13
Debian Linux 3.0
Linux Any version
Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.14.007 or later), available from the phpGroupWare download site at http://prdownloads.sourceforge.net/phpgroupware/
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of phpGroupWare (0.9.14-0.RC3.2.woody3 or later), as listed in Debian Security Advisory DSA-419-1 at http://www.debian.org/security/2004/dsa-419
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0017 (CVE) |
| Related URL |
9386 (SecurityFocus) |
| Related URL |
14846 (ISS) |
|
