GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Jul 10, 2005 7:49 pm Post subject: [ GLSA 200507-08 ] phpGroupWare, eGroupWare: PHP script inje |
 |
|
Gentoo Linux Security Advisory
Title: phpGroupWare, eGroupWare: PHP script injection vulnerability (GLSA 200507-08)
Severity: high
Exploitable: remote
Date: July 10, 2005
Bug(s): #97460, #97651
ID: 200507-08
Synopsis
phpGroupWare and eGroupWare include an XML-RPC implementation which allows remote attackers to execute arbitrary PHP script commands.
Background
phpGroupWare and eGroupWare are web based collaboration software suites.
Affected Packages
Package: www-apps/phpgroupware
Vulnerable: < 0.9.16.006
Unaffected: >= 0.9.16.006
Architectures: All supported architectures
Package: www-apps/egroupware
Vulnerable: < 1.0.0.008
Unaffected: >= 1.0.0.008
Architectures: All supported architectures
Description
The XML-RPC implementations of phpGroupWare and eGroupWare fail to sanitize input sent to the XML-RPC server using the "POST" method.
Impact
A remote attacker could exploit the XML-RPC vulnerability to execute arbitrary PHP script code by sending specially crafted XML data to the XML-RPC servers of phpGroupWare or eGroupWare.
Workaround
There are no known workarounds at this time.
Resolution
All phpGroupWare users should upgrade to the latest available version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-app/phpgroupware-0.9.16.006" |
All eGroupWare users should upgrade to the latest available version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-app/egroupware-1.0.0.008" |
References
CAN-2005-1921
Last edited by GLSA on Sun May 07, 2006 4:57 pm; edited 1 time in total |
|
News & Announcements
