Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200508-20 ] phpGroupWare: Multiple vulnerabilities
Date: Tue, 30 Aug 2005 15:25:58
Message-Id: 431474F5.9010502@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200508-20
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: phpGroupWare: Multiple vulnerabilities
9 Date: August 30, 2005
10 Bugs: #102379
11 ID: 200508-20
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 phpGroupWare is vulnerable to multiple issues ranging from information
19 disclosure to a potential execution of arbitrary code.
20
21 Background
22 ==========
23
24 phpGroupWare is a multi-user groupware suite written in PHP.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 www-apps/phpgroupware < 0.9.16.008 >= 0.9.16.008
33
34 Description
35 ===========
36
37 phpGroupWare improperly validates the "mid" parameter retrieved via a
38 forum post. The current version of phpGroupWare also adds several
39 safeguards to prevent XSS issues, and disables the use of a potentially
40 vulnerable XML-RPC library.
41
42 Impact
43 ======
44
45 A remote attacker may leverage the XML-RPC vulnerability to execute
46 arbitrary PHP script code. He could also create a specially crafted
47 request that will reveal private posts.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All phpGroupWare users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=www-apps/phpgroupware-0.9.16.008"
61
62 References
63 ==========
64
65 [ 1 ] CAN-2005-2498
66 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2498
67 [ 2 ] CAN-2005-2600
68 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2600
69 [ 3 ] Secunia Advisory SA16414
70 http://secunia.com/advisories/16414
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-200508-20.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 http://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2005 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature