Vulnerability Bulletins

int(2403)

Vulnerability Bulletins

Inyección de código PHP en FUD Forum / phpgroupware
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Obtener acceso
Dificulty	Experto
Required attacker level	Acceso remoto sin cuenta a un servicio exotico
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	FUD Forum < 2.7.0 phpgroupware
Description
Se ha descubierto una vulnerabilidad en FUD Forum versión anterior a 2.7.0. La vulnerabilidad reside en que la funcionalidad de subir un avatar al servidor no comprueba de forma correcta los ficheros que se envían. Un atacante remoto podría ejecutar código PHP arbitrario mediante un fichero con extensión PHP que contiene una imagen seguida de código PHP.
Solution
Actualización de software Debian Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody6.dsc http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody6.diff.gz http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14.orig.tar.gz Architecture independent http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api-doc_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-brewer_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chora_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core-doc_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-inv_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-napster_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wap_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-weather_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody6_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody6_all.deb Debian Linux 3.1 Source http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge5.dsc http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge5.diff.gz http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005.orig.tar.gz Architecture independent http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-etemplate_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-felamimail_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-folders_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-fudforum_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpbrain_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpgwapi_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-qmailldap_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-sitemgr_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wiki_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.16.005-3.sarge5_all.deb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.005-3.sarge5_all.deb
Standar resources
Property	Value
CVE	CVE-2005-2781
BID	14678
Other resources
Debian Security Advisory (DSA 1063-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00148.html

Version history
Version	Comments	Date
1.0	Aviso emitido	2006-05-22

Vulnerability Bulletins

Inyección de código PHP en FUD Forum / phpgroupware

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history