Package: phpgroupware Version: 0.9.16.003-1 Severity: grave Tags: security CAN-2004-1385 describes multiple security holes in phpgroupware:
phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive
information via (1) unexpected characters in the session ID such as shell
metacharacters, (2) an invalid appname parameter to preferences.php or (3) an
invalid menuaction parameter to index.php, which reveals the web server path
in an error message.
Details here:
http://marc.theaimsgroup.com/?l=bugtraq&m=110312656029072&w=2
Apparently this is fixed upstream in version 0.9.16.004.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages phpgroupware depends on:
ii apache2-mpm-prefork [httpd] 2.0.52-3 Traditional model for Apache2
ii debconf [debconf-2.0] 1.4.44 Debian configuration management sy
pn php4 | php4-cgi Not found.
pn php4-imap Not found.
pn php4-pgsql | php4-mysql Not found.
pn phpgroupware-admin Not found.
pn phpgroupware-phpgwapi Not found.
pn phpgroupware-preferences Not found.
pn phpgroupware-setup Not found.
pn wwwconfig-common Not found.
--
see shy jo
signature.asc
Description: Digital signature
