1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200412-27 / PHProjekt |
| Release Date | December 30, 2004 |
| Latest Revision | December 30, 2004: 01 |
| Impact | high |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-apps/phprojekt | < 4.2-r2 | >= 4.2-r2 | All supported architectures |
Related bugreports: #75858
PHProjekt contains a vulnerability that allows a remote attacker to execute arbitrary PHP code.
PHProjekt is a modular groupware web application used to coordinate group activities and share files.
cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.
A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.
There is no known workaround at this time.
All PHProjekt users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2" |