PHProjekt: Remote code execution vulnerability PHProjekt contains a vulnerability that allows a remote attacker to execute arbitrary PHP code. PHProjekt 2004-12-30 2004-12-30 75858 remote 4.2-r2 4.2-r2

PHProjekt is a modular groupware web application used to coordinate group activities and share files.

cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.

A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.

There is no known workaround at this time.

All PHProjekt users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2"
PHProjekt Advisory koon koon