phpGroupWare Multiple Module SQL Injection

high Nessus Plugin ID 14296

Synopsis

A remote web application is prone to multiple SQL injections.

Description

The remote host seems to be running PhpGroupWare, a multi-user groupware suite written in PHP.

It has been reported that this version may be prone to multiple SQL injection vulnerabilities in the 'calendar' and 'infolog' modules.

The problems exist due to insufficient sanitization of user-supplied data.

A remote attacker may exploit these issues to influence SQL query logic to disclose sensitive information that could be used to gain unauthorized access.

Solution

Update to version 0.9.14.007 or newer.

See Also

https://www.phpgroupware.org/

Plugin Details

Severity: High

ID: 14296

File Name: phpgroupware_sql_injection.nasl

Version: 1.25

Type: remote

Family: CGI abuses

Published: 8/17/2004

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:phpgroupware:phpgroupware

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 10/21/2003

Reference Information

CVE: CVE-2004-0017

BID: 9386