Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title phpCollab: Multiple vulnerabilities
Informations
Name GLSA-200812-20 First vendor Publication 2008-12-21
Vendor Gentoo Last vendor Modification 2008-12-21
Severity (Vendor) High Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been discovered in phpCollab allowing for remote injection of shell commands, PHP code and SQL statements.

Background

phpCollab is a web-enabled groupware and project management software written in PHP. It uses SQL-based database backends.

Description

Multiple vulnerabilities have been found in phpCollab:

* rgod reported that data sent to general/sendpassword.php via the loginForm parameter is not properly sanitized before being used in an SQL statement (CVE-2006-1495).

* Christian Hoffmann of Gentoo Security discovered multiple vulnerabilites where input is insufficiently sanitized before being used in an SQL statement, for instance in general/login.php via the loginForm parameter. (CVE-2008-4303).

* Christian Hoffmann also found out that the variable $SSL_CLIENT_CERT in general/login.php is not properly sanitized before being used in a shell command. (CVE-2008-4304).

* User-supplied data to installation/setup.php is not checked before being written to include/settings.php which is executed later. This issue was reported by Christian Hoffmann as well (CVE-2008-4305).

Impact

These vulnerabilities enable remote attackers to execute arbitrary SQL statements and PHP code. NOTE: Some of the SQL injection vulnerabilities require the php.ini option "magic_quotes_gpc" to be disabled. Furthermore, an attacker might be able to execute arbitrary shell commands if "register_globals" is enabled, "magic_quotes_gpc" is disabled, the PHP OpenSSL extension is not installed or loaded and the file "installation/setup.php" has not been deleted after installation.

Workaround

There is no known workaround at this time.

Resolution

phpCollab has been removed from the Portage tree. We recommend that users unmerge phpCollab:
# emerge --unmerge "www-apps/phpcollab"

References

[ 1 ] CVE-2006-1495 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1495
[ 2 ] CVE-2008-4303 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4303
[ 3 ] CVE-2008-4304 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4304
[ 4 ] CVE-2008-4305 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4305

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200812-20.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200812-20.xml

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-6 Argument Injection
CAPEC-15 Command Delimiters
CAPEC-43 Exploiting Multiple Input Interpretation Layers
CAPEC-88 OS Command Injection
CAPEC-108 Command Line Execution through SQL Injection

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-94 Failure to Control Generation of Code ('Code Injection')
33 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
33 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 3
Application 7

OpenVAS Exploits

Date Description
2008-12-23 Name : Gentoo Security Advisory GLSA 200812-20 (phpcollab)
File : nvt/glsa_200812_20.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53103 phpCollab general/login.php loginForm Parameter SQL Injection

phpCollab contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'general/login.php' script not properly sanitizing user-supplied input to the 'loginForm' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
50949 phpCollab general/login.php SSL_CLIENT_CERT Environment Variable Shell Metach...
50948 phpCollab installation/setup.php URI Parameter Arbitrary PHP Code Injection
24230 NetOffice sendpassword.php User Name Field SQL Injection

NetOffice contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /general/sendpassword.php script not properly sanitizing user-supplied input to the 'loginForm' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
24227 PHPCollab settings.php Ftp Server Field Arbitrary PHP Code Execution
24226 PHPCollab sendpassword.php User Name Field SQL Injection

PHPCollab contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /general/sendpassword.php script not properly sanitizing user-supplied input to the 'loginForm' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Nessus® Vulnerability Scanner

Date Description
2008-12-22 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200812-20.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:36:12
  • Multiple Updates