| VID |
21721 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of phpGroupWare which is older than version 0.9.16.007 is detected as installed on the host. phpGroupWare (formerly known as webdistro), developed by Joseph Engo, is a multi-user groupware suite written in PHP. phpGroupWare versions prior to 0.9.16.007 are multiple vulnerabilities, which can be exploited by a remote attacker with administrative privileges to conduct script insertion attacks, or by a remote attacker to bypass certain security restrictions or compromise a vulnerable system.
1) phpGroupWare uses vulnerable versions of FUDforum, which could allow a remote attacker to bypass security and view messages in a private forum when the 'tree view' feature is enabled.
2) phpGroupWare uses vulnerable versions of XML-RPC, which could allow a remote attacker to execute arbitrary PHP code on the system.
3) A remote attacker with administrative privileges could include arbitrary JavaScript code when editing the main screen message from the admin pages.
* Note: This check solely relied on the version number of phpGroupWare on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://savannah.gnu.org/bugs/?func=detailitem&item_id=13863
http://secunia.com/advisories/16414/
http://secunia.com/advisories/16558/
* Platforms Affected:
Joseph Engo, phpGroupWare versions prior to 0.9.16.007
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpGroupWare (0.9.16.007 or later), available from the phpGroupWare Web site at http://sourceforge.net/projects/phpgroupware/ |
| Related URL |
CVE-2005-2498,CVE-2005-2600,CVE-2005-2761 (CVE) |
| Related URL |
14560,14556,14724 (SecurityFocus) |
| Related URL |
21803,21842 (ISS) |
|
