Re: SQL injection in PHPGroupware
From: Adam McKenna (adam@flounder.net)Date: 04/04/02
- Previous message: dhalterm@csc.com: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"
- In reply to: Matthias Jordan: "SQL injection in PHPGroupware"
- Next in thread: Dan Kuykendall: "Re: SQL injection in PHPGroupware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Apr 2002 17:04:32 -0800 To: bugtraq@securityfocus.com From: Adam McKenna <adam@flounder.net>
On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote:
> + Problem
>
> PHPGroupware 0.9.12 (the current release version) is vulnerable
> to SQL injection. This enables each attacker who can access the
> login page of PHPGroupware to take over the database. This is
> true in particular for the Debian package phpgroupware
> (0.9.12-3.2) that has been tested.
...
> Solution involving more work: upgrade to 0.9.14 RC2. The problem
> seems to be fixed there, but neither is there a Debian package
> for it, yet, nor a statement that this bug has been fixed and to
> what extent nor is it a release version.
I'm having trouble figuring out why Debian is singled out in your post. It
doesn't appear as though you e-mailed security@debian.org regarding this
problem, nor did you file any bugs against the package in question, at least
according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware
Also, FWIW, the latest version of this software in Debian Unstable, according
to packages.debian.org, is 0.9.14-0.RC2.1. The package is not present in the
stable version of Debian.
--Adam
-- Adam McKenna <adam@debian.org> <adam@flounder.net>
- Previous message: dhalterm@csc.com: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"
- In reply to: Matthias Jordan: "SQL injection in PHPGroupware"
- Next in thread: Dan Kuykendall: "Re: SQL injection in PHPGroupware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
