GLSA 200507-08: phpGroupWare, eGroupWare: PHP script injection vulnerability
| Severity: | high |
| Title: | phpGroupWare, eGroupWare: PHP script injection vulnerability |
| Date: | 07/10/2005 |
| Bugs: | , |
| ID: | 200507-08 |
Synopsis
phpGroupWare and eGroupWare include an XML-RPC implementation which allows remote attackers to execute arbitrary PHP script commands.Background
phpGroupWare and eGroupWare are web based collaboration software suites.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| www-apps/phpgroupware | < 0.9.16.006 | >= 0.9.16.006 | All supported architectures |
| www-apps/egroupware | < 1.0.0.008 | >= 1.0.0.008 | All supported architectures |
Description
The XML-RPC implementations of phpGroupWare and eGroupWare fail to sanitize input sent to the XML-RPC server using the "POST" method.
Impact
A remote attacker could exploit the XML-RPC vulnerability to execute arbitrary PHP script code by sending specially crafted XML data to the XML-RPC servers of phpGroupWare or eGroupWare.
Workaround
There are no known workarounds at this time.
Resolution
All phpGroupWare users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-app/phpgroupware-0.9.16.006"
All eGroupWare users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-app/egroupware-1.0.0.008"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.