Summary: | <www-apps/phpgroupware-0.9.16.012-r1: Local file inclusion, XSS, SQLi (CVE-2009-{4414,4415,4416}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://secunia.com/advisories/35519/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-07-23 19:25:05 UTC
Upstream seems to be pretty dead. If there is a sufficient interest in this package, I can try to come up with a patch, like Secunia suggests: "SOLUTION: Edit the source code to ensure that input is properly sanitised and verified." + 04 Aug 2009; Alex Legler <a3li@gentoo.org> package.mask: + Mask www-apps/phpgroupware, security bug 278864. + Masked until fixed or removed. local file inclusion should be B1, no? this needs a maskglsa then. Fixed upstream: http://svn.savannah.gnu.org/viewvc?view=rev&root=phpgroupware&sortby=date&revision=19117 0.9.16_014 is tagged in the svn, but not linked on the web site. please apply patch. +*phpgroupware-0.9.16.012-r1 (12 Aug 2009) + + 12 Aug 2009; Alex Legler <a3li@gentoo.org> + +files/phpgroupware-SA35519.patch, +phpgroupware-0.9.16.012-r1.ebuild: + Non-maintainer commit: Version bump for security bug 278864. + + 12 Aug 2009; Alex Legler <a3li@gentoo.org> package.mask: + Taking phpgroupware out of p.mask as there is a fixed version now. Bug + 278864. + Arches, please test and mark stable: =www-apps/phpgroupware-0.9.16.012-r1 Target keywords : "alpha amd64 ppc" ppc stable Stable on alpha. amd64 stable GLSA request already filed. No CVE seems to have been assigned yet. CVE-2009-4414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4414): SQL injection vulnerability in phpgwapi /inc/class.auth_sql.inc.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the passwd parameter to login.php. CVE-2009-4415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4415): Multiple directory traversal vulnerabilities in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allow remote attackers to (1) read arbitrary files via the csvfile parameter to addressbook/csv_import.php, or (2) include and execute arbitrary local files via the conv_type parameter in addressbook/inc/class.uiXport.inc.php. CVE-2009-4416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4416): Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter whose name begins with the "phpgw_" sequence. This issue has been fixed since Aug 27, 2009. No GLSA will be issued. |