phpGroupWare index.php Multiple Parameter SQL Injection

2004-12-14T06:18:39
ID OSVDB:12396
Type osvdb
Reporter James Bercegay()
Modified 2004-12-14T06:18:39

Description

Vulnerability Description

phpGroupWare contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'index.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 0.9.16.004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpGroupWare contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that multiple parameters in the 'index.php' script are not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.phpgroupware.org Security Tracker: 1012529 Secunia Advisory ID:13467 Related OSVDB ID: 12390 Related OSVDB ID: 12393 Related OSVDB ID: 12395 Related OSVDB ID: 12391 Related OSVDB ID: 12392 Related OSVDB ID: 12394 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200501-08.xml Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00054-12142004 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0155.html Keyword: formerly webdistro ISS X-Force ID: 18497 ISS X-Force ID: 18496 CVE-2004-1385 Bugtraq ID: 11952