blob: 486973e7c4e9b51dbed336340d5e8bc7956977f9 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200412-27">
<title>PHProjekt: Remote code execution vulnerability</title>
PHProjekt contains a vulnerability that allows a remote attacker to execute
arbitrary PHP code.
<product type="ebuild">PHProjekt</product>
<announced>December 30, 2004</announced>
<revised>December 30, 2004: 01</revised>
<package name="www-apps/phprojekt" auto="yes" arch="*">
<unaffected range="ge">4.2-r2</unaffected>
<vulnerable range="lt">4.2-r2</vulnerable>
PHProjekt is a modular groupware web application used to
coordinate group activities and share files.
cYon discovered that the script allows a remote
user to define the global variable $path_pre.
<impact type="high">
A remote attacker can exploit this vulnerability to force to download and execute arbitrary PHP code with the
privileges of the web server user.
There is no known workaround at this time.
All PHProjekt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-apps/phprojekt-4.2-r2&quot;</code>
<uri link=";name=News&amp;file=article&amp;sid=193&amp;mode=thread&amp;order=0">PHProjekt Advisory</uri>
<metadata tag="submitter" timestamp="Wed, 29 Dec 2004 16:45:27 +0000">
<metadata tag="bugReady" timestamp="Wed, 29 Dec 2004 16:45:35 +0000">