Home page logo

bugtraq logo Bugtraq mailing list archives

security hole in os groupware suite PHProjekt
From: "Albrecht Guenther" <ag () phprojekt com>
Date: Tue, 8 May 2001 15:45:17 +0200

Hello Bugtraq team,

this is my first posting to the bugtraq ML.
If my posting is incomplete or you have further
questions, please don't hesitate to mail me.
Daniel Wittenberg kindly notified me about
the following bug.

best regards
Albrecht Guenther

PHProjekt is an open source groupware suite written in PHP4 
with mysql/postgres/oracle support: 
The security hole concernes the file module.

By adding the famous ".." string to the url one can have access to other
directories than the one which is specified in the config.

The concerned releases are version 2.0, 2.0.1 and 2.1 of PHProjekt

A patched version of the file is available under:
or download the newest release from the homepage


Daniel Wittenberg from starken.com found this security hole
and kindly provided me with this informtaion.

Albrecht Guenther

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]