Bugtraq mailing list archives
Re: SQL injection in PHPGroupware
From: Adam McKenna <adam () flounder net>
Date: Wed, 3 Apr 2002 17:04:32 -0800
On Wed, Apr 03, 2002 at 04:08:36PM +0200, Matthias Jordan wrote:
+ Problem PHPGroupware 0.9.12 (the current release version) is vulnerable to SQL injection. This enables each attacker who can access the login page of PHPGroupware to take over the database. This is true in particular for the Debian package phpgroupware (0.9.12-3.2) that has been tested.
...
Solution involving more work: upgrade to 0.9.14 RC2. The problem seems to be fixed there, but neither is there a Debian package for it, yet, nor a statement that this bug has been fixed and to what extent nor is it a release version.
I'm having trouble figuring out why Debian is singled out in your post. It doesn't appear as though you e-mailed security () debian org regarding this problem, nor did you file any bugs against the package in question, at least according to http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=phpgroupware Also, FWIW, the latest version of this software in Debian Unstable, according to packages.debian.org, is 0.9.14-0.RC2.1. The package is not present in the stable version of Debian. --Adam -- Adam McKenna <adam () debian org> <adam () flounder net>
Current thread:
- SQL injection in PHPGroupware Matthias Jordan (Apr 03)
- Re: SQL injection in PHPGroupware Adam McKenna (Apr 03)
- <Possible follow-ups>
- Re: SQL injection in PHPGroupware Dan Kuykendall (Apr 11)