Family: Debian Local Security Checks --> Category: infos
[DSA419] DSA-419-1 phpgroupware Vulnerability Scan
Vulnerability Scan Summary
Detailed Explanation for this Vulnerability Test
The authors of phpgroupware, a web based groupware system written in
PHP, discovered several vulnerabilities. The Common Vulnerabilities
and Exposures project identifies the following problems:
In the "calendar" module, "save extension" was not enforced for
holiday files. As a result, server-side php scripts may be placed
in directories that then could be accessed remotely and cause the
webserver to execute those. This was resolved by enforcing the
extension ".txt" for holiday files.
Some SQL injection problems (non-escaping of values used in SQL
strings) the "calendar" and "infolog" modules.
Additionally, the Debian maintainer adjusted the permissions on world
writable directories that were accidentally created by former postinst
during the installation.
For the stable distribution (woody) this problem has been fixed in
For the unstable distribution (sid) this problem has been fixed in
We recommend that you upgrade your phpgroupware, phpgroupware-calendar
and phpgroupware-infolog packages.
Solution : http://www.debian.org/security/2004/dsa-419
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.