Description
phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/24847
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18497
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110312656029072&w=2
Exploit x_refsource_misc
http://www.gulftech.org/?node=research&article_id=00054-12142004
Patch vendor-advisory
x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200501-08.xml
Scores
EPSS
0.0459
EPSS Percentile
89.3%
Details
Status
published
Products (11)
phpgroupware/phpgroupware
0.9.12
phpgroupware/phpgroupware
0.9.13
phpgroupware/phpgroupware
0.9.14
phpgroupware/phpgroupware
0.9.14.003
phpgroupware/phpgroupware
0.9.14.005
phpgroupware/phpgroupware
0.9.14.006
phpgroupware/phpgroupware
0.9.14.007
phpgroupware/phpgroupware
0.9.16.000
phpgroupware/phpgroupware
0.9.16.002
phpgroupware/phpgroupware
0.9.16.003
... and 1 more
Published
Dec 31, 2004
Tracked Since
Feb 18, 2026