[Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands

phpgroupware-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands

From:	nobody
Subject:	[Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands execution
Date:	Mon, 21 Jul 2003 11:55:39 -0400
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030626

=================== BUG #4385: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4385&group_id=509

Changes by: Ralf Becker <address@hidden>
Date: Mon 07/21/2003 at 17:55 (Europe/Berlin)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Fixed
         Assigned to | None                      | ralfbecker
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
This has been fixed in CVS and should be available in the next
release.



=================== BUG #4385: FULL BUG SNAPSHOT ===================


Submitted by: cyon                    Project: phpGroupWare                 
Submitted on: Sun 07/20/2003 at 20:58
Category:  API - phpGWapi             Bug Group:  0.9.14.004/5 release      
Severity:  5 - Major                  Priority:  Immediate                  
Resolution:  Fixed                    Assigned to:  ralfbecker              
Status:  Closed                       Component Version:  TGZ               
Platform Version:  Linux - RedHat     Reproducibility:  Every Time          

Summary:  arbitrary PHP code or system commands execution

Original Submission:  Here is limited information on the secuirty risk. Wasn't 
sure if this bug submittion was made public.

Description:
/phpgwapi/setup/tables_update.inc.php allows anyone to
execute arbitrary PHP code or system commands with 
privileges of web server. A user can easily include 
remote PHP files to be parsed.

Phil - address@hidden

Follow-up Comments
*******************

-------------------------------------------------------
Date: Mon 07/21/2003 at 17:55       By: ralfbecker
This has been fixed in CVS and should be available in the next
release.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4385&group_id=509

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands execution, nobody, 2003/07/20
- [Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands execution, nobody <=

Prev by Date: [Phpgroupware-tracker] [bug #4392] Setup Error
Next by Date: [Phpgroupware-tracker] [bug #4311] xml export / lang file caused an error
Previous by thread: [Phpgroupware-tracker] [bug #4385] arbitrary PHP code or system commands execution
Next by thread: [Phpgroupware-tracker] [bug #4392] Setup Error
Index(es):
- Date
- Thread