From Secunia: Multiple vulnerabilities have been discovered in phpGroupWare, which can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "csvfile" parameter is not properly verified before being used in addressbook/csv_import.php. This can be exploited to disclose the content of arbitrary files on an affected system. 2) Input passed to the "passwd" parameter in login.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. 3) Input passed via query parameter names that start with "phpgw_" is not properly sanitised before being returned to the user in login.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 4) Input passed via the "conv_type" parameter in addressbook/inc/class.uiXport.inc.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks. The vulnerabilities are confirmed in version 0.9.16.12. Other versions may also be affected.
Upstream seems to be pretty dead. If there is a sufficient interest in this package, I can try to come up with a patch, like Secunia suggests: "SOLUTION: Edit the source code to ensure that input is properly sanitised and verified."
+ 04 Aug 2009; Alex Legler <a3li@gentoo.org> package.mask: + Mask www-apps/phpgroupware, security bug 278864. + Masked until fixed or removed.
local file inclusion should be B1, no? this needs a maskglsa then.
Fixed upstream: http://svn.savannah.gnu.org/viewvc?view=rev&root=phpgroupware&sortby=date&revision=19117 0.9.16_014 is tagged in the svn, but not linked on the web site. please apply patch.
+*phpgroupware-0.9.16.012-r1 (12 Aug 2009) + + 12 Aug 2009; Alex Legler <a3li@gentoo.org> + +files/phpgroupware-SA35519.patch, +phpgroupware-0.9.16.012-r1.ebuild: + Non-maintainer commit: Version bump for security bug 278864. + + 12 Aug 2009; Alex Legler <a3li@gentoo.org> package.mask: + Taking phpgroupware out of p.mask as there is a fixed version now. Bug + 278864. + Arches, please test and mark stable: =www-apps/phpgroupware-0.9.16.012-r1 Target keywords : "alpha amd64 ppc"
ppc stable
Stable on alpha.
amd64 stable
GLSA request already filed.
No CVE seems to have been assigned yet.
CVE-2009-4414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4414): SQL injection vulnerability in phpgwapi /inc/class.auth_sql.inc.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the passwd parameter to login.php. CVE-2009-4415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4415): Multiple directory traversal vulnerabilities in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allow remote attackers to (1) read arbitrary files via the csvfile parameter to addressbook/csv_import.php, or (2) include and execute arbitrary local files via the conv_type parameter in addressbook/inc/class.uiXport.inc.php. CVE-2009-4416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4416): Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter whose name begins with the "phpgw_" sequence.
This issue has been fixed since Aug 27, 2009. No GLSA will be issued.