CVE-2009-4414

Name of the Vulnerable Software and Affected Versions phpGroupWare versions 0.9.16.12 through 0.9.16.013

Description The issue allows remote attackers to execute arbitrary SQL commands when the magic quotes gpc setting is disabled. This can be achieved by manipulating the passwd parameter in the "login.php" endpoint.

Recommendations For phpGroupWare versions 0.9.16.12 through 0.9.16.013, update to version 0.9.16.014 or later to resolve the issue. As a temporary workaround, consider enabling the magic quotes gpc setting to prevent SQL injection attacks. Restrict access to the login.php endpoint to minimize the risk of exploitation. Avoid using the passwd parameter in the affected endpoint until the issue is resolved.