Bugtraq mailing list archives

Re: SQL injection in PHPGroupware

From: Adam McKenna <adam () flounder net>
Date: Wed, 3 Apr 2002 17:04:32 -0800

On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote:

+ Problem

PHPGroupware 0.9.12 (the current release version) is vulnerable
to SQL injection. This enables each attacker who can access the
login page of PHPGroupware to take over the database. This is
true in particular for the Debian package phpgroupware
(0.9.12-3.2) that has been tested.

...

Solution involving more work: upgrade to 0.9.14 RC2. The problem
seems to be fixed there, but neither is there a Debian package
for it, yet, nor a statement that this bug has been fixed and to
what extent nor is it a release version.


I'm having trouble figuring out why Debian is singled out in your post.  It
doesn't appear as though you e-mailed security () debian org regarding this
problem, nor did you file any bugs against the package in question, at least
according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware

Also, FWIW, the latest version of this software in Debian Unstable, according
to packages.debian.org, is 0.9.14-0.RC2.1.  The package is not present in the
stable version of Debian.

--Adam

-- 
Adam McKenna  <adam () debian org>  <adam () flounder net>

Current thread:

SQL injection in PHPGroupware Matthias Jordan (Apr 03)
- Re: SQL injection in PHPGroupware Adam McKenna (Apr 03)
- <Possible follow-ups>
- Re: SQL injection in PHPGroupware Dan Kuykendall (Apr 11)