vendor:
PHPGroupWare
by:
SecurityFocus
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHPGroupWare
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002
PHPGroupWare Insecure Default Configuration
PHPGroupWare is a freely available, open source groupware system written in PHP. It is distributed and maintained by the PHPGroupWare project. Debian packages of PHPGroupWare ship with an insecure default configuration. The PHP magic_quotes_gpc directive of the PHPGroupWare apache.conf file is disabled by default in Debian packages. This may enable remote attackers to make SQL injection attacks via PHPGroupWare. Under normal circumstances, PHPGroupWare installs with the PHP magic_quotes_gpc directive enabled, to restrict the possibility of SQL injection attacks. Additionally, this issue may also enable an attacker to exploit vulnerabilities that may exist in the underlying database.
Mitigation:
Enabling the PHP magic_quotes_gpc directive in the PHPGroupWare apache.conf file.
