Package: phpgroupware Version: 0.9.16.003-1 Severity: grave Tags: security CAN-2004-1385 describes multiple security holes in phpgroupware:
phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message. Details here: http://marc.theaimsgroup.com/?l=bugtraq&m=110312656029072&w=2 Apparently this is fixed upstream in version 0.9.16.004. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages phpgroupware depends on: ii apache2-mpm-prefork [httpd] 2.0.52-3 Traditional model for Apache2 ii debconf [debconf-2.0] 1.4.44 Debian configuration management sy pn php4 | php4-cgi Not found. pn php4-imap Not found. pn php4-pgsql | php4-mysql Not found. pn phpgroupware-admin Not found. pn phpgroupware-phpgwapi Not found. pn phpgroupware-preferences Not found. pn phpgroupware-setup Not found. pn wwwconfig-common Not found. -- see shy jo
signature.asc
Description: Digital signature