PHProjekt: setup.php vulnerability — GLSA 200412-06

PHProjekt contains a vulnerability in the setup procedure allowing remote users without admin rights to change the configuration.

Affected Packages

www-apps/phprojekt on all architectures
Affected versions < 4.2-r1
Unaffected versions >= 4.2-r1

Background

PHProjekt is a modular groupware web application used to coordinate group activities and share files.

Description

Martin Muench, from it.sec, found a flaw in the setup.php file.

Impact

Successful exploitation of the flaw allows a remote attacker without admin rights to make unauthorized changes to PHProjekt configuration.

Workaround

As a workaround, you could replace the existing setup.php file in PHProjekt root directory by the one provided on the PHProjekt Advisory (see References).

Resolution

All PHProjekt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r1"

References

Release Date
December 10, 2004

Latest Revision
December 10, 2004: 01

Severity
normal

Exploitable
remote

Bugzilla entries