OSVDB ID: 6860

Title: phpGroupWare Calendar Module Holiday File Save Extension Feature Arbitrary File Execution

Info

Disclosure

Jan 09, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

phpGroupWare contains a flaw that may allow a remote attacker to execute arbitrary files. The issue is triggered due to the 'calendar' module which does not enforce the 'save extension' feature for holiday files. It is possible that the flaw may allow a remote attacker to execute arbitrary files resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 0.9.14.007 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

phpGroupWare

0.9.14.006

References

Secunia Advisory ID: 10046
ISS X-Force ID: 13489
CVE ID: 2004-0016 (see also: NVD)
Bugtraq ID: 9387
Vendor Specific Advisory URL: http://www.debian.org/security/2004/dsa-419
Vendor URL: http://www.phpgroupware.org/

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218