[gentoo-announce] [ GLSA 200409-22 ] phpGroupWare: XSS vulnerability in wiki module - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200409-22 ] phpGroupWare: XSS vulnerability in wiki module
Date:	Thu, 16 Sep 2004 21:59:58
Message-Id:	`20040916215837.GW442@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200409-22

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: phpGroupWare: XSS vulnerability in wiki module

9

      Date: September 16, 2004

10

      Bugs: #63063

11

        ID: 200409-22

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

The phpGroupWare software contains a cross site scripting vulnerability

19

in the wiki module.

20

21

Background

22

==========

23

24

phpGroupWare is a web-based suite of group applications including

25

calendar, todo-list, addressbook, email, wiki, news headlines, and a

26

file manager.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package                /   Vulnerable   /              Unaffected

33

    -------------------------------------------------------------------

34

  1  www-apps/phpgroupware     < 0.9.16.003              >= 0.9.16.003

35

36

Description

37

===========

38

39

Due to an input validation error, the wiki module in the phpGroupWare

40

suite is vulnerable to cross site scripting attacks.

41

42

Impact

43

======

44

45

This vulnerability gives an attacker the ability to inject and execute

46

malicious script code, potentially compromising the victim's browser.

47

48

Workaround

49

==========

50

51

The is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All phpGroupWare users should upgrade to the latest version:

57

58

    # emerge sync

59

60

    # emerge -pv ">=www-apps/phpgroupware-0.9.16.003"

61

    # emerge ">=www-apps/phpgroupware-0.9.16.003"

62

63

References

64

==========

65

66

  [ 1 ] phpGroupWare ChangeLog

67

        http://downloads.phpgroupware.org/changelog

68

  [ 2 ] Secunia Advisory SA12466

69

        http://secunia.com/advisories/12466/

70

71

Availability

72

============

73

74

This GLSA and any updates to it are available for viewing at

75

the Gentoo Security Website:

76

77

  http://security.gentoo.org/glsa/glsa-200409-22.xml

78

79

Concerns?

80

=========

81

82

Security is a primary focus of Gentoo Linux and ensuring the

83

confidentiality and security of our users machines is of utmost

84

importance to us. Any security concerns should be addressed to

85

security@g.o or alternatively, you may file a bug at

86

http://bugs.gentoo.org.

87

88

License

89

=======

90

91

Copyright 2004 Gentoo Foundation, Inc; referenced text

92

belongs to its owner(s).

93

94

The contents of this document are licensed under the

95

Creative Commons - Attribution / Share Alike license.

96

97

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200409-22
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: phpGroupWare: XSS vulnerability in wiki module
9	Date: September 16, 2004
10	Bugs: #63063
11	ID: 200409-22
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	The phpGroupWare software contains a cross site scripting vulnerability
19	in the wiki module.
20
21	Background
22	==========
23
24	phpGroupWare is a web-based suite of group applications including
25	calendar, todo-list, addressbook, email, wiki, news headlines, and a
26	file manager.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 www-apps/phpgroupware < 0.9.16.003 >= 0.9.16.003
35
36	Description
37	===========
38
39	Due to an input validation error, the wiki module in the phpGroupWare
40	suite is vulnerable to cross site scripting attacks.
41
42	Impact
43	======
44
45	This vulnerability gives an attacker the ability to inject and execute
46	malicious script code, potentially compromising the victim's browser.
47
48	Workaround
49	==========
50
51	The is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All phpGroupWare users should upgrade to the latest version:
57
58	# emerge sync
59
60	# emerge -pv ">=www-apps/phpgroupware-0.9.16.003"
61	# emerge ">=www-apps/phpgroupware-0.9.16.003"
62
63	References
64	==========
65
66	[ 1 ] phpGroupWare ChangeLog
67	http://downloads.phpgroupware.org/changelog
68	[ 2 ] Secunia Advisory SA12466
69	http://secunia.com/advisories/12466/
70
71	Availability
72	============
73
74	This GLSA and any updates to it are available for viewing at
75	the Gentoo Security Website:
76
77	http://security.gentoo.org/glsa/glsa-200409-22.xml
78
79	Concerns?
80	=========
81
82	Security is a primary focus of Gentoo Linux and ensuring the
83	confidentiality and security of our users machines is of utmost
84	importance to us. Any security concerns should be addressed to
85	security@g.o or alternatively, you may file a bug at
86	http://bugs.gentoo.org.
87
88	License
89	=======
90
91	Copyright 2004 Gentoo Foundation, Inc; referenced text
92	belongs to its owner(s).
93
94	The contents of this document are licensed under the
95	Creative Commons - Attribution / Share Alike license.
96
97	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce