Hello Bugtraq team, this is my first posting to the bugtraq ML. If my posting is incomplete or you have further questions, please don't hesitate to mail me. Daniel Wittenberg kindly notified me about the following bug. best regards Albrecht Guenther Overview PHProjekt is an open source groupware suite written in PHP4 with mysql/postgres/oracle support: www.PHProjekt.com The security hole concernes the file module. Details By adding the famous ".." string to the url one can have access to other directories than the one which is specified in the config. The concerned releases are version 2.0, 2.0.1 and 2.1 of PHProjekt Solution A patched version of the file is available under: http://www.phprojekt.com/download/patch-2.1.tar.gz or download the newest release from the homepage Credit Daniel Wittenberg from starken.com found this security hole and kindly provided me with this informtaion. Albrecht Guenther
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 03:22:28 PDT