Hole in phpGroupWare
According to reports from France's FrSIRT, a vulnerability has been located in phpGroupWare version 0.9.16.010 and earlier that could allow files on the server to be spied on or even executed. A lack of filtering in the calendar/inc/class.holidaycalc.inc.php module enables manipulation of the phpgw_info[user][preferences][common][country] parameter. Access is only possible to files for which the web server possesses the required rights.
Similarly, a PHP script installed in this way will only run with the web server's rights – although those are often sufficient to perform a local privilege elevation to compromise completely the machine. The FrSIRT advisory does not indicate whether attackers must be registered to exploit the holes in the system.
Shortly after being informed of the problem, the developers made an update available for version 0.9.16.011 in which the hole has been closed. Because an exploit is already in circulation, they urgently recommend installing the update. The exploit can only function if the register_globals = on and gpc_magic_quotes = off options have been instantiated.
- phpGroupWare Local File Inclusion Vulnerability, Advisory from FrSIRT