Home Features FAQ Pricing About Us Contact Us Web Site Monitoring: Website Monitor & Server Monitoring
Web Server Monitoring
Login

E-mail:

Password:



Secure Login
Lost Password

See Also
FREE TRIAL!
Spot Check URL
Articles
Link to Us
Demo Account
ASL Reference


Security Check Details

eGroupWare spellchecker.php spellchecker_lang Parameter Arbitrary Shell Command Execution
Synopsis :

The remote web server contains a CGI script that can be abused to
execute arbitrary commands.

Description :

The version of eGroupWare hosted on the remote web server fails to
sanitize user-supplied input to the 'spellchecker_lang' parameter of
the 'spellchecker.php' script before passing it to a shell.

An unauthenticated remote attacker can leverage this issue to execute
arbitrary commands subject to the privileges under which the web
server operates.

Note that the install likely has a similar issue involving another
script parameter, although Nessus has not checked for that.

See also :

http://www.egroupware.org/viewvc/egroupware?view=rev&revision=29423
http://www.egroupware.org/viewvc/egroupware?view=rev&revision=29422
http://www.egroupware.org/news?category_id=95&item=93

Solution :

Upgrade to eGroupWare 1.6.003 / eGroupWare version EPL 9.1.20100309 /
9.2.20100309 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)


More at Nessus.org



 Device Status

Not logged in.

What's This?

Web Site Monitoring · Security Scan · Features · FAQ · Pricing · About Us · Contact Us · Site Map

Copyright © 2000-2010 Alertra, Inc. All rights reserved. Please read our privacy statement and our terms of service.