[24960] in bugtraq
Re: SQL injection in PHPGroupware
daemon@ATHENA.MIT.EDU (Adam McKenna)
Thu Apr 4 00:40:51 2002
Date: Wed, 3 Apr 2002 17:04:32 -0800
To: bugtraq@securityfocus.com
Cc: security@debian.org
Message-ID: <20020404010432.GE6693@flounder.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <17122201257.20020403160836@code-fu.de>
From: Adam McKenna <adam@flounder.net>
Mail-Followup-To: bugtraq@securityfocus.com, security@debian.org
On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote:
> + Problem
>
> PHPGroupware 0.9.12 (the current release version) is vulnerable
> to SQL injection. This enables each attacker who can access the
> login page of PHPGroupware to take over the database. This is
> true in particular for the Debian package phpgroupware
> (0.9.12-3.2) that has been tested.
...
> Solution involving more work: upgrade to 0.9.14 RC2. The problem
> seems to be fixed there, but neither is there a Debian package
> for it, yet, nor a statement that this bug has been fixed and to
> what extent nor is it a release version.
I'm having trouble figuring out why Debian is singled out in your post. It
doesn't appear as though you e-mailed security@debian.org regarding this
problem, nor did you file any bugs against the package in question, at least
according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware
Also, FWIW, the latest version of this software in Debian Unstable, according
to packages.debian.org, is 0.9.14-0.RC2.1. The package is not present in the
stable version of Debian.
--Adam
--
Adam McKenna <adam@debian.org> <adam@flounder.net>
