Debian: phpgroupware Multiple vulnerabilities

    Date09 Jan 2004
    Posted ByLinuxSecurity Advisories
    Improper remote execution and SQL code injection issues.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 419-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.                             Martin Schulze
    January 9th, 2003              
    - --------------------------------------------------------------------------
    Package        : phpgroupware
    Vulnerability  : missing filename sanitising, SQL injection
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CAN-2004-0016 CAN-2004-0017
    The authors of phpgroupware, a web based groupware system written in
    PHP, discovered several vulnerabilities.  The Common Vulnerabilities
    and Exposures project identifies the following problems:
      In the "calendar" module, "save extension" was not enforced for
      holiday files.  As a result, server-side php scripts may be placed
      in directories that then could be accessed remotely and cause the
      webserver to execute those.  This was resolved by enforcing the
      extension ".txt" for holiday files.
      Some SQL injection problems (non-escaping of values used in SQL
      strings) the "calendar" and "infolog" modules.
    Additionally, the Debian maintainer adjusted the permissions on world
    writable directories that were accidently created by former postinst
    during the installation.
    For the stable distribution (woody) this problem has been fixed in
    version 0.9.14-0.RC3.2.woody3.
    For the unstable distribution (sid) this problem has been fixed in
    We recommend that you upgrade your phpgroupware, phpgroupware-calendar
    and phpgroupware-infolog packages.
    Upgrade Instructions
    - --------------------
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
      Source archives:
          Size/MD5 checksum:     1648 fe062b1bf8877932bb2470e38d911514
          Size/MD5 checksum:   450361 75e7f22c764901a55fdd512c00ad9403
          Size/MD5 checksum:  8356188 22e715d0884d09aa848d694701a85b6b
      Architecture independent components:
          Size/MD5 checksum:    81236 56a2974de3da55bd5790071ce3e2d878
          Size/MD5 checksum:   143570 9362f1a084d918afd8411ad478463a9c
          Size/MD5 checksum:   283302 e6d43729c8ca9b200718b90ebfe80b5c
          Size/MD5 checksum:  2118350 59d03db385d1bbb59ad3dfb7e57bb8e2
          Size/MD5 checksum:    41680 58b563e77f3d22c966fc41f1fc8c87a0
          Size/MD5 checksum:   118658 427879de1ab1ce71efc4661d0a5d1ee9
          Size/MD5 checksum:    62866 8cde7024b9ad933a5b8516e663c3c2a6
          Size/MD5 checksum:   227778 dafa81279a94e830061a45dc27aa1561
          Size/MD5 checksum:    19354 5db6b3131d3d8a38612a56e00dd5693f
          Size/MD5 checksum:    60394 2f53b3a6515668bc50f6c44b37d84a75
          Size/MD5 checksum:   327606 5e0ed4e69ddab084c54c61a1f1ec1185
          Size/MD5 checksum:    90754 526677d3294e950846f73f5224872379
          Size/MD5 checksum:    19104 b57bb2ffd6924b326d535fe040b93b95
          Size/MD5 checksum:    41528 953bfd91bea52f00705b3fd4f0415ec1
          Size/MD5 checksum:    46096 e1b5108e23bee2e2305cdb031fea4c58
          Size/MD5 checksum:    50910 f742bfd791e4351004cfb8315c4b392a
          Size/MD5 checksum:   320926 02533f8e4d00569faae3d12104342e9d
          Size/MD5 checksum:    37878 446001e9d4dad5ed52c0431e6b2f7184
          Size/MD5 checksum:    48984 d9e0460cab85338cec380a03d1d55c48
          Size/MD5 checksum:    40024 5a4e2d552559efc9c82c3ac19399f8fc
          Size/MD5 checksum:    59460 97ca00d28d3d08c1963293bc188bf73a
          Size/MD5 checksum:    23696 b003552af5ac215ea5698b18975325eb
          Size/MD5 checksum:    38914 81f8c2b52ba8d700bb061544432f7b01
          Size/MD5 checksum:    94250 d5c04f7fd9ef850dcb01760e548dffd7
          Size/MD5 checksum:    93962 4e8ce2091f40a0e7ed4a7e42c5f13556
          Size/MD5 checksum:    87432 0f64fe97a9d86389219079d3daf0183a
          Size/MD5 checksum:    29808 b4e8141b97df11359349a825a45f5461
          Size/MD5 checksum:    25512 c27b435b115eb5b45574766dabcafb11
          Size/MD5 checksum:    31410 b3706db963a475e39d3b1fc736102a22
          Size/MD5 checksum:    42500 344a15932f0d627ba21c285df1a6279d
          Size/MD5 checksum:    27426 15eb78a12b9a1c8a8fbfc7c78f1064ac
          Size/MD5 checksum:    21638 999028c0af8d28fb9ea05567afaeacd8
          Size/MD5 checksum:    35616 f45af6b8ce3131c26000918b890e0cbf
          Size/MD5 checksum:    62188 e9a60c036da4b519b579e7f29b1f2f92
          Size/MD5 checksum:    29494 e3fc876b3b0cea434e586665f8be3ace
          Size/MD5 checksum:    46086 84928cb89947883658d0c2251b95a2c5
          Size/MD5 checksum:    91414 b6a52fa388dbc09c0d7ff554cfbf5c56
          Size/MD5 checksum:    35600 bd6f66dd3ce33125f6f0282f6ad7fbef
          Size/MD5 checksum:   278684 ab4dc26916fc11187c0c70da92b48700
          Size/MD5 checksum:    30940 766d5112eefd0ff8c5fdb4ca21435e69
          Size/MD5 checksum:    22656 3a0f2075d13f923b12c28ea864a627ad
          Size/MD5 checksum:    26770 5a756d5dcb59404af3f3beb16dbcb994
          Size/MD5 checksum:    43872 44f36dc391a31256697788dc64b51316
          Size/MD5 checksum:    46916 879ff4be6ee9b095d75132f92cae68da
          Size/MD5 checksum:    27532 c7ce0209ee04edbccf1adbf4f9afe807
          Size/MD5 checksum:   490010 6a6a85ca7dfa510c4a676f478c84ee67
          Size/MD5 checksum:    74822 249a47e63d59c1026fd3f02b854b8d32
          Size/MD5 checksum:    25608 7ca156a941abae77bc8699b860d4f818
      These files will probably be moved into the stable distribution on
      its next revision.
    - ---------------------------------------------------------------------------------
    For apt-get: deb stable/updates main
    For dpkg-ftp: dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":21.43,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"3","type":"x","order":"3","pct":21.43,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.