GLSA Bodhisattva
Joined: 25 Feb 2003 Posts: 3829 Location: Essen, Germany
|
Posted: Thu Dec 30, 2004 3:09 pm Post subject: [ GLSA 200412-27 ] PHProjekt: Remote code execution vulnerab |
|
|
Gentoo Linux Security Advisory
Title: PHProjekt: Remote code execution vulnerability (GLSA 200412-27)
Severity: high
Exploitable: remote
Date: December 30, 2004
Bug(s): #75858
ID: 200412-27
Synopsis
PHProjekt contains a vulnerability that allows a remote attacker to execute arbitrary PHP code.
Background
PHProjekt is a modular groupware web application used to coordinate group activities and share files.
Affected Packages
Package: www-apps/phprojekt
Vulnerable: < 4.2-r2
Unaffected: >= 4.2-r2
Architectures: All supported architectures
Description
cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.
Impact
A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.
Workaround
There is no known workaround at this time.
Resolution
All PHProjekt users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2" |
References
PHProjekt Advisory
Last edited by GLSA on Sun May 07, 2006 4:54 pm; edited 1 time in total |
|