Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   phpGroupWare Vendors:
phpGroupWare Flaws Allow SQL Injection and PHP File Uploading
SecurityTracker Alert ID:  1008662
SecurityTracker URL:
CVE Reference:   CVE-2004-0016, CVE-2004-0017   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 9 2004
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to
Description:   Some vulnerabilities were reported in phpGroupWare. A remote user may be able to inject SQL commands. A remote authenticated user may be able to upload PHP scripts and execute them on the target server.

It is reported that the 'calendar' and 'infolog' modules do not properly escape user-supplied input [CVE-2004-0017]. A remote user may be able to supply a specially crafted request to execute SQL queries on the underlying database.

It is also reported that the 'calendar' module allows a remote authenticated user to upload holiday files containing PHP code that can later be remotely executed. The 'save extension' is reportedly not properly enforced [CVE-2004-0016]. The PHP code will execute with the privileges of the target web service.

Impact:   A remote user can inject SQL commands to be executed by the underlying database.

A remote authenticated user can upload PHP files and then execute the files with the privileges of the target web service.

Solution:   The vendor released a fixed version ( in October 2003, available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 9 2004 (Debian Issues Fix) phpGroupWare Flaws Allow SQL Injection and PHP File Uploading
Debian has released a fix.

 Source Message Contents

Subject:  CVE: CVE-2004-0016 CVE-2004-0017

CVE: CAN-2004-0016 CAN-2004-0017

Some vulnerabilities have been reported in phpGroupWare, as reported by Debian:

 > CAN-2004-0016
 >   In the "calendar" module, "save extension" was not enforced for
 >   holiday files.  As a result, server-side php scripts may be placed
 >   in directories that then could be accessed remotely and cause the
 >   webserver to execute those.  This was resolved by enforcing the
 >   extension ".txt" for holiday files.
 > CAN-2004-0017
 >   Some SQL injection problems (non-escaping of values used in SQL
 >   strings) the "calendar" and "infolog" modules.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC