Vulnerability CVE-2010-0403

Vulnerability Name:

CVE-2010-0403 (CCN-58657)

Assigned:

2010-05-12

Published:

2010-05-12

Updated:

2018-10-10

Summary:

Directory traversal vulnerability in about.php in phpGroupWare (phpgw) before 0.9.16.016 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the app parameter.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-22

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-0403

Source: CONFIRM
Type: Patch, Vendor Advisory
http://download.phpgroupware.org/

Source: CONFIRM
Type: Patch
http://forums.phpgroupware.org/index.php?t=msg&th=98662&start=0&rid=0

Source: CCN
Type: phpGroupWare-users Web page
Phpgroupware security release 0.9.16.016

Source: MLIST
Type: UNKNOWN
[phpgroupware-users] 20100512 Phpgroupware security release 0.9.16.016

Source: CCN
Type: SA39665
phpGroupWare SQL Injection and Local File Inclusion Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
39665

Source: SECUNIA
Type: Vendor Advisory
39731

Source: DEBIAN
Type: UNKNOWN
DSA-2046

Source: DEBIAN
Type: DSA-2046
phpgroupware -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 64639
phpGroupWare about.php app Parameter Traversal Local File Inclusion

Source: CCN
Type: phpGroupWare Web site
phpGroupWare

Source: BUGTRAQ
Type: UNKNOWN
20100514 phpGroupWare SQL Injections and Local File Inclusion Vulnerabilities (CVE-2010-0403 and CVE-2010-0404)

Source: BID
Type: UNKNOWN
40167

Source: CCN
Type: BID-40167
phpGroupWare 'app' Parameter Local File Include Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2010-1145

Source: VUPEN
Type: Vendor Advisory
ADV-2010-1146

Source: XF
Type: UNKNOWN
phpgroupware-about-file-include(58657)

Source: XF
Type: UNKNOWN
phpgroupware-about-file-include(58657)

Vulnerable Configuration:

Configuration 1:

cpe:/a:phpgroupware:phpgroupware:0.9.16:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.000:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.001:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.002:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.003:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.005:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.010:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.011:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.012:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:0.9.16.014:*:*:*:*:*:*:*

OR cpe:/a:phpgroupware:phpgroupware:*:*:*:*:*:*:*:* (Version <= 0.9.16.015)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:6808	P	DSA-2046 phpgroupware -- several vulnerabilities	2015-02-23
oval:org.mitre.oval:def:12992	P	DSA-2046-1 phpgroupware -- several	2015-02-23
oval:org.debian:def:2046	V	several vulnerabilities	2010-05-13

BACK