VULHUB ™

phpGroupWare is a multi-user groupware suite originally developed by Joseph Engo, and freely distributed. A problem in the software could allow users to remotely execute malicious code. The problem occurs in the include() function of php. Due to a design flaw in the phpgw.inc.php include file, it is possible to supply variables in a FORM method that will fulfill these variables, and cause the software to seek an include file outside of the local system. Insufficent access control makes it possible for a malicious user to generate a custom crafted request to the web server, which could result in the execution of code with the UID and GID of the httpd process.

phpGroupWare is a multi-user groupware suite originally developed by Joseph Engo, and freely distributed. A problem in the software could allow users to remotely execute malicious code. The problem occurs in the include() function of php. Due to a design flaw in the phpgw.inc.php include file, it is possible to supply variables in a FORM method that will fulfill these variables, and cause the software to seek an include file outside of the local system. Insufficent access control makes it possible for a malicious user to generate a custom crafted request to the web server, which could result in the execution of code with the UID and GID of the httpd process.