• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple PHPGroupWare HTML Injection Vulnerabilities

Solution:
The vendor has addressed this issue in phpGroupWare 0.9.14.005.

Mandrake has released an advisory (MDKSA-2003:077) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva has released an advisory (CLA-2003:697) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Debian has released advisory DSA 365-1 with fixes to address this issue. See referenced advisory for additional information.

Fixes are available:


PHPGroupWare PHPGroupWare 0.9.12

• Conectiva phpgroupware-0.9.14.005-1U70_2cl.noarch.rpm
  ftp://atualizacoes.conectiva.com.br/7.0/RPMS/phpgroupware-0.9.14.005-1 U70_2cl.noarch.rpm


• Conectiva phpgroupware-0.9.14.005-1U80_2cl.noarch.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/phpgroupware-0.9.14.005-1U8 0_2cl.noarch.rpm


• Conectiva phpgroupware-0.9.14.005-9432U90_2cl.noarch.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/phpgroupware-0.9.14.005-943 2U90_2cl.noarch.rpm


• phpGroupWare phpGroupWare 0.9.14.005
  http://www.phpgroupware.org/downloads/

PHPGroupWare PHPGroupWare 0.9.13

• phpGroupWare phpGroupWare 0.9.14.005
  http://www.phpgroupware.org/downloads/

PHPGroupWare PHPGroupWare 0.9.14 .003

• Debian phpgroupware-addressbook_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-addressbook_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-admin_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-admin_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-api-doc_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-api-doc_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-api_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-api_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-bookkeeping_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-bookmarks_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-bookmarks_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-brewer_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-brewer_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-calendar_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-calendar_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-chat_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-chat_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-chora_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-chora_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-comic_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-comic_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-core-doc_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-core-doc_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-core_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-core_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-developer-tools_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-developer-tools_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-dj_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-dj_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-eldaptir_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-eldaptir_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-email_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-email_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-filemanager_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-filemanager_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-forum_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-forum_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-ftp_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-ftp_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-headlines_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-headlines_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-hr_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-hr_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-img_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-img_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-infolog_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-infolog_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-inv_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-inv_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-manual_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-manual_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-messenger_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-messenger_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-napster_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-napster_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-news-admin_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-news-admin_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-nntp_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-nntp_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-notes_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-notes_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-phonelog_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-phonelog_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-phpsysinfo_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-phpwebhosting_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-polls_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-polls_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-preferences_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-preferences_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-projects_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-projects_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-registration_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-registration_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-setup_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-setup_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-skel_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-skel_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-soap_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-soap_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-stocks_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-stocks_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-todo_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-todo_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-tts_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-tts_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-wap_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-wap_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-weather_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-weather_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re-xmlrpc_0.9.14-0.RC3.2.woody3_all.deb


• Debian phpgroupware_0.9.14-0.RC3.2.woody3_all.deb
  Debian GNU/Linux 3.0 (woody)
  http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupwa re_0.9.14-0.RC3.2.woody3_all.deb


• phpGroupWare phpGroupWare 0.9.14.005
  http://www.phpgroupware.org/downloads/

MandrakeSoft Corporate Server 2.1

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  Corporate Server 2.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  Corporate Server 2.1/x86_64
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  x86_64
  http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft Linux Mandrake 8.2 ppc

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  8.2/PPC
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  8.2/PPC
  http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft Linux Mandrake 8.2

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  8.2
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  8.2
  http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft Linux Mandrake 9.0

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  9.0
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  9.0
  http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft Linux Mandrake 9.1

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  9.1
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  9.1
  http://www.mandrakesecure.net/en/ftp.php

MandrakeSoft Linux Mandrake 9.1 ppc

• Mandrake phpgroupware-0.9.14.006-0.1mdk.noarch.rpm
  9.1/PPC
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake phpgroupware-0.9.14.006-0.1mdk.src.rpm
  9.1/PPC
  http://www.mandrakesecure.net/en/ftp.php