PHProjekt contains a vulnerability that allows a remote attacker to execute arbitrary PHP code.
Package | www-apps/phprojekt on all architectures |
---|---|
Affected versions | < 4.2-r2 |
Unaffected versions | >= 4.2-r2 |
PHProjekt is a modular groupware web application used to coordinate group activities and share files.
cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.
A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.
There is no known workaround at this time.
All PHProjekt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2"
Release date
December 30, 2004
Latest revision
December 30, 2004: 01
Severity
high
Exploitable
remote
Bugzilla entries