| VID |
21877 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHProjekt allows for access to the 'setup.php' file without requiring authentication. PHProjekt is an open-source Groupware package written in PHP4. PHProjekt version 4.2.1 and earlier versions could allow a remote attacker to gain access to the 'setup.php' file without requiring authentication, caused due to an unspecified error in the 'setup.php' file. A remote attacker could exploit this vulnerability to upload and execute arbitrary PHP scripts, including operating system commands, with the privileges of the target web service.
* References:
http://www.gentoo.org/security/en/glsa/glsa-200412-06.xml
http://www.securitytracker.com/alerts/2004/Dec/1012369.html
http://secunia.com/advisories/13355/
* Platforms Affected:
PHProjekt version 4.2.1 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade the setup.php script to the fixed version, available from the PHProjekt Web site at http://phprojekt.com/files/4.2/setup.zip
For Gentoo Linux:
Upgrade to the latest version of phprojekt (4.2-r1 or later), as listed in Gentoo Linux Security Advisory GLSA 200412-06 at http://www.gentoo.org/security/en/glsa/glsa-200412-06.xml |
| Related URL |
CVE-2004-2739 (CVE) |
| Related URL |
11797 (SecurityFocus) |
| Related URL |
18320 (ISS) |
|
