phpGroupWare setup.inc.php.sample Path Disclosure

2004-01-27T00:00:00
ID OSVDB:7601
Type osvdb
Reporter Cedric Cochin(cco@netvigilance.com)
Modified 2004-01-27T00:00:00

Description

Vulnerability Description

phpGroupWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker requests the "setup.inc.php.sample" script without arguments, which will disclose the software installation path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 0.9.14.006 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpGroupWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker requests the "setup.inc.php.sample" script without arguments, which will disclose the software installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/[phpgroupware_directory]/news_admin/website/setup.inc.php.sample

References:

Vendor URL: http://www.phpgroupware.org/ Vendor Specific Advisory URL Related OSVDB ID: 7600 Related OSVDB ID: 7603 Related OSVDB ID: 7602 Related OSVDB ID: 7604 Related OSVDB ID: 7599 CVE-2004-2575