Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: SQL injection in PHPGroupware
From: Adam McKenna <adam () flounder net>
Date: Wed, 3 Apr 2002 17:04:32 -0800
On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote:

+ Problem

PHPGroupware 0.9.12 (the current release version) is vulnerable
to SQL injection. This enables each attacker who can access the
login page of PHPGroupware to take over the database. This is
true in particular for the Debian package phpgroupware
(0.9.12-3.2) that has been tested.

 
...
 

Solution involving more work: upgrade to 0.9.14 RC2. The problem
seems to be fixed there, but neither is there a Debian package
for it, yet, nor a statement that this bug has been fixed and to
what extent nor is it a release version.


I'm having trouble figuring out why Debian is singled out in your post.  It
doesn't appear as though you e-mailed security () debian org regarding this
problem, nor did you file any bugs against the package in question, at least
according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware

Also, FWIW, the latest version of this software in Debian Unstable, according
to packages.debian.org, is 0.9.14-0.RC2.1.  The package is not present in the
stable version of Debian.

--Adam

-- 
Adam McKenna  <adam () debian org>  <adam () flounder net>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]