Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / phpGroupWare app参数本地文件包含漏洞

发布日期:2009-05-12
更新日期:2010-05-20受影响系统:
PHPGroupWare PHPGroupWare < 0.9.16.016
不受影响系统:
PHPGroupWare PHPGroupWare 0.9.16.016
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 40167
CVE ID: CVE-2010-0403phpGroupWare是一个用PHP编写的多用户的网络组件,为开发其他程序提供了一个API。在设置了sessionid和kp3的情况下,phpGroupWare没有正确地过滤提交给about.php页面的app参数便用于包含文件,远程攻击者可以通过提交包含有目录遍历序列的特制请求包含本地资源的任意文件,导致信息泄露。<*来源:Vupen
 
  链接:http://secunia.com/advisories/39665
        http://lists.gnu.org/archive/html/phpgroupware-users/2010-05/msg00004.html
        http://www.debian.org/security/2010/dsa-2046
*>建议:
--------------------------------------------------------------------------------
厂商补丁:Debian
------
Debian已经为此发布了一个安全公告(DSA-2046-1)以及相应补丁:
DSA-2046-1:phpgroupware: Multiple vulnerabilities
链接:http://www.debian.org/security/2010/dsa-2046补丁下载:Source archives:http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz
Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.dsc
Size/MD5 checksum:     1662 1a1ff2d6badf454ba2b948ee1268e57b
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.diff.gz
Size/MD5 checksum:    74293 9ba66bc79bc0f5bb6454a3372bc2bfd8Architecture independent packages:http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    91562 51f6a2473368c6c21d19b8fd6349635f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi-doc_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:  7985242 c19ed260050702c356c4d14db87e3f0d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    20158 c09431d20a4d833841340ea79e03854d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-setup_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:   281402 2fc54aa2367098332f67b846b17d8c7a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    48876 41cc095cbbc3bd97ae36754405df60b9
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:  1167580 4b63e0460fb590082a29391d26331b1e
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:  1529004 52216c8fa04c49ebf2d5d12aa6a8013a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    22522 783f747d25f32fe4024db807a0727261
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:     4726 0a3140a4bdc80c8b421ef865c1f730d3
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-doc_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:   130240 dc11591ae411a496bc5828d88eaed65d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-todo_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    50810 b632b74158236fea55b5014830c26369
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    60432 8355e743ea535fbb8b5afef5bcb196bb
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    93564 f44dbd8f6b2902d4980c4ec23d955d02
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    41194 9ed410fd27d8e0c7430a90fa2eaabb70
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:   270288 ffa447f1b07658090d9acdec93ef31a5
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:   188302 84057847fe79ad066a751a0b5f1abef7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:   176400 0294b85b1e34e7879edbc4ee832dfa43
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-notes_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum:    33074 95aff5b1efc3ba4eeb3a5756549ae070补丁安装方法:1. 手工安装补丁包:  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)  然后,使用下面的命令来安装补丁: 
  # dpkg -i file.deb (file是相应的补丁名)2. 使用apt-get自动安装补丁包:   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgradePHPGroupWare
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://prdownloads.sourceforge.net/phpgroupware/phpgroupware-0.9.16.016.tar.bz2Linux Kernel Btrfs实现创建不安全克隆文件漏洞Dell OpenManage file参数URI重新定向漏洞相关资讯      漏洞 
  • 快递官网漏洞泄露 1400 万用户信息  (08/12/2014 08:37:42)
  • 要389目录服务器访问绕过漏洞  (10/01/2012 09:18:08)
  • ASUS Net4Switch "ipswcom.dll"   (03/02/2012 09:32:42)
  • 软件漏洞是一笔大买卖!  (10/06/2012 08:28:32)
  • PHPCMS V9.1.13任意文件包含漏洞分  (08/01/2012 07:23:17)
  • Open Handset Alliance Android   (03/01/2012 06:59:34)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图