phpGroupWare Holiday File Arbitrary File Execution

2004-01-09T00:00:00
ID OSVDB:6860
Type osvdb
Reporter OSVDB
Modified 2004-01-09T00:00:00

Description

Vulnerability Description

phpGroupWare contains a flaw that may allow a remote attacker to execute arbitrary files. The issue is triggered due to the 'calendar' module which does not enforce the 'save extension' feature for holiday files. It is possible that the flaw may allow a remote attacker to execute arbitrary files resulting in a loss of integrity.

Solution Description

Upgrade to version 0.9.14.007 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpGroupWare contains a flaw that may allow a remote attacker to execute arbitrary files. The issue is triggered due to the 'calendar' module which does not enforce the 'save extension' feature for holiday files. It is possible that the flaw may allow a remote attacker to execute arbitrary files resulting in a loss of integrity.

References:

Vendor URL: http://www.phpgroupware.org/ Vendor Specific Advisory URL Secunia Advisory ID:10046 ISS X-Force ID: 13489 CVE-2004-0016 Bugtraq ID: 9387