phpGroupWare Multiple SQL Injection Vulnerabilities

BID:40168

Info

phpGroupWare Multiple SQL Injection Vulnerabilities

Bugtraq ID: 40168
Class: Input Validation Error
CVE: CVE-2010-0404
Remote: Yes
Local: No
Published: May 12 2010 12:00AM
Updated: May 14 2010 09:21PM
Credit: VUPEN Security
Vulnerable: PHPGroupWare PHPGroupWare 0.9.16 RC3
PHPGroupWare PHPGroupWare 0.9.16 RC2
PHPGroupWare PHPGroupWare 0.9.16 RC1
PHPGroupWare PHPGroupWare 0.9.16 015
PHPGroupWare PHPGroupWare 0.9.16 014
PHPGroupWare PHPGroupWare 0.9.16 .010
PHPGroupWare PHPGroupWare 0.9.16 .007
PHPGroupWare PHPGroupWare 0.9.16 .006
PHPGroupWare PHPGroupWare 0.9.16 .005
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
PHPGroupWare PHPGroupWare 0.9.16 .003
+ Gentoo Linux
PHPGroupWare PHPGroupWare 0.9.16 .002
PHPGroupWare PHPGroupWare 0.9.16 .000
PHPGroupWare PHPGroupWare 0.9.16.012
PHPGroupWare PHPGroupWare 0.9.16.011
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Not Vulnerable: PHPGroupWare PHPGroupWare 0.9.16 016

Discussion

phpGroupWare Multiple SQL Injection Vulnerabilities

phpGroupWare is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions of phpGroupWare prior to 0.9.16.016 are vulnerable.

Exploit / POC

phpGroupWare Multiple SQL Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

Solution / Fix

phpGroupWare Multiple SQL Injection Vulnerabilities

Solution:
The vendor has released phpGroupWare 0.9.16.016 to address this issue. Please see the references for more information.


PHPGroupWare PHPGroupWare 0.9.16.011

Debian Linux 5.0 hppa

Debian Linux 5.0 ia-64

Debian Linux 5.0 m68k

Debian Linux 5.0 arm

Debian Linux 5.0 armel

Debian Linux 5.0

Debian Linux 5.0 alpha

Debian Linux 5.0 amd64

PHPGroupWare PHPGroupWare 0.9.16.012

Debian Linux 5.0 ia-32

Debian Linux 5.0 mips

Debian Linux 5.0 s/390

Debian Linux 5.0 mipsel

Debian Linux 5.0 powerpc

Debian Linux 5.0 sparc

PHPGroupWare PHPGroupWare 0.9.16 .006

PHPGroupWare PHPGroupWare 0.9.16 RC1

PHPGroupWare PHPGroupWare 0.9.16 .005

PHPGroupWare PHPGroupWare 0.9.16 .002

PHPGroupWare PHPGroupWare 0.9.16 RC3

PHPGroupWare PHPGroupWare 0.9.16 014

PHPGroupWare PHPGroupWare 0.9.16 015

PHPGroupWare PHPGroupWare 0.9.16 .000

PHPGroupWare PHPGroupWare 0.9.16 RC2

PHPGroupWare PHPGroupWare 0.9.16 .007

PHPGroupWare PHPGroupWare 0.9.16 .003

PHPGroupWare PHPGroupWare 0.9.16 .010

References

phpGroupWare Multiple SQL Injection Vulnerabilities

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report