Title: phpGroupWare Remote Include File Vulnerability
Severity: MODERATE
Description:
phpGroupWare is a multi-user groupware suite originally developed by Joseph Engo, and freely distributed. A problem in the software could allow users to remotely execute malicious code.
The problem occurs in the include() function of php. Due to a design flaw in the phpgw.inc.php include file, it is possible to supply variables in a FORM method that will fulfill these variables, and cause the software to seek an include file outside of the local system. Insufficent access control makes it possible for a malicious user to generate a custom crafted request to the web server, which could result in the execution of code with the UID and GID of the httpd process.
Affected Products:
- Joseph Engo phpGroupWare 0.9.6
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
