Hi all, A security vulnerability has been discovered in phpGW < 0.9.16.011 We were not given a heads up before it was published.
The exploit is in the holiday code in calendar. It can only be exploited with register_globals = on and gpc_magic_quotes = off. The advisory can be found at http://www.frsirt.com/english/advisories/2006/3414 There is code which exploits the vulnerability in the wild - see http://milw0rm.com/exploits/2270 All users are strongly encouraged to upgrade immediately. You can grab the new version from - http://sourceforge.net/project/showfiles.php?group_id=7305 Or update from cvs $ cd /path/to/phpgroupware $ cvs update -dP In addition to the security issue above, this release fixes support for MySQL4.1+ and pgsql 8. Support for php5 has been improved too, php5 should now work with zend.ze1_compatibility_mode on When grabbing your update, check out the conference - http://conference.phpgroupware.org :) Cheers Dave -- Dave Hall (aka skwashd) API Coordinator phpGroupWare +-------------------------------------+-------------------------------+ | e [EMAIL PROTECTED] | w phpgroupware.org | | j [EMAIL PROTECTED] | aim skwashd | | icq 278064022 | msn [EMAIL PROTECTED] | | sip [EMAIL PROTECTED] | y! skwashd | +-------------------------------------+-------------------------------+ _______________________________________________ Phpgroupware-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
