phpGroupWare 'app' Parameter Local File Include Vulnerability

BID:40167

Info

phpGroupWare 'app' Parameter Local File Include Vulnerability

Bugtraq ID: 40167
Class: Input Validation Error
CVE: CVE-2010-0403
Remote: Yes
Local: No
Published: May 12 2010 12:00AM
Updated: May 14 2010 08:51PM
Credit: VUPEN Security
Vulnerable: PHPGroupWare PHPGroupWare 0.9.16 RC3
PHPGroupWare PHPGroupWare 0.9.16 RC2
PHPGroupWare PHPGroupWare 0.9.16 RC1
PHPGroupWare PHPGroupWare 0.9.16 015
PHPGroupWare PHPGroupWare 0.9.16 014
PHPGroupWare PHPGroupWare 0.9.16 .010
PHPGroupWare PHPGroupWare 0.9.16 .007
PHPGroupWare PHPGroupWare 0.9.16 .006
PHPGroupWare PHPGroupWare 0.9.16 .005
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
PHPGroupWare PHPGroupWare 0.9.16 .003
+ Gentoo Linux
PHPGroupWare PHPGroupWare 0.9.16 .002
PHPGroupWare PHPGroupWare 0.9.16 .000
PHPGroupWare PHPGroupWare 0.9.16.012
PHPGroupWare PHPGroupWare 0.9.16.011
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Not Vulnerable: PHPGroupWare PHPGroupWare 0.9.16 016

Discussion

phpGroupWare 'app' Parameter Local File Include Vulnerability

phpGroupWare is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.

Versions prior to phpGroupWare 0.9.16.016 are vulnerable.

Exploit / POC

phpGroupWare 'app' Parameter Local File Include Vulnerability

Attackers can exploit this issue via a browser.

Solution / Fix

phpGroupWare 'app' Parameter Local File Include Vulnerability

Solution:
The vendor has released phpGroupWare 0.9.16.016 to address this issue. Please see the references for more information.


PHPGroupWare PHPGroupWare 0.9.16.011

Debian Linux 5.0 hppa

Debian Linux 5.0 ia-64

Debian Linux 5.0 m68k

Debian Linux 5.0 arm

Debian Linux 5.0 armel

Debian Linux 5.0

Debian Linux 5.0 alpha

Debian Linux 5.0 amd64

PHPGroupWare PHPGroupWare 0.9.16.012

Debian Linux 5.0 ia-32

Debian Linux 5.0 mips

Debian Linux 5.0 s/390

Debian Linux 5.0 mipsel

Debian Linux 5.0 powerpc

Debian Linux 5.0 sparc

PHPGroupWare PHPGroupWare 0.9.16 .006

PHPGroupWare PHPGroupWare 0.9.16 RC1

PHPGroupWare PHPGroupWare 0.9.16 .005

PHPGroupWare PHPGroupWare 0.9.16 .002

PHPGroupWare PHPGroupWare 0.9.16 RC3

PHPGroupWare PHPGroupWare 0.9.16 014

PHPGroupWare PHPGroupWare 0.9.16 015

PHPGroupWare PHPGroupWare 0.9.16 .000

PHPGroupWare PHPGroupWare 0.9.16 RC2

PHPGroupWare PHPGroupWare 0.9.16 .007

PHPGroupWare PHPGroupWare 0.9.16 .003

PHPGroupWare PHPGroupWare 0.9.16 .010

References

phpGroupWare 'app' Parameter Local File Include Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report