PHProjekt Groupware Access Control Weakness Lets Authenticated Remote Users Access Data of Other Users - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > PHProjekt

Vendors: Guenther, Albrecht

PHProjekt Groupware Access Control Weakness Lets Authenticated Remote Users Access Data of Other Users

SecurityTracker Alert ID: 1002264

SecurityTracker URL: http://securitytracker.com/id/1002264

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 27 2001

Impact: Disclosure of user information, Modification of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 2.4

Description: The PHProjekt vendor announced a fix for a vulnerability in their PHProjekt PHP-based groupware. The security flaw allowed authenticated users to view, modify, and delete data of another user.

It is reported that an authenticated user can modify the ID number in the URL to access data of another user.

The vendor notes that Martin Mayrhofer originally reported the vulnerability.

Impact: A remote user with access to a PHProjekt account can view, modify, or delete the data belonging to another PHProjekt user.

Solution: The vendor reports that all actions are now authenticated. A fix is available in the newest release (2.4a), available at: www.PHProjekt.com/download/phprojekt.tar.gz

Vendor URL: www.phprojekt.com/ (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History: None.

Source Message Contents

Date: Sun, 26 Aug 2001 22:39:06 +0200
Subject: security hole in os groupware suite PHProjekt


   Overview
PHProjekt is an open source groupware suite written in PHP4 
with mysql/postgres/oracle/informix/ms-sql support: 
www.PHProjekt.com
The security hole concernes the several modules.

    Details
By modifying the ID number in links an user can
view, moduify or delete data of other users randomly.
 
  Affected systems
The concerned releases are all versions until 2.4.

    Solution
All respective actions are now checked for the authentification.
Download the newest release 2.4a from the homepage
www.PHProjekt.com/download/phprojekt.tar.gz

   Credit
Martin Mayrhofer kindly provided me with this information.


Albrecht Guenther

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC