CVE-2011-4948

Name of the Vulnerable Software and Affected Versions EGroupware Enterprise Line (EPL) versions prior to 11.1.20110804-1 EGroupware Community Edition versions prior to 1.8.001.20110805

Description The issue allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter of the admin/remote.php file.

Recommendations For EGroupware Enterprise Line (EPL) versions prior to 11.1.20110804-1, update to version 11.1.20110804-1 or later. For EGroupware Community Edition versions prior to 1.8.001.20110805, update to version 1.8.001.20110805 or later. As a temporary workaround, consider restricting access to the admin/remote.php file until a patch is applied. Avoid using the type parameter in the affected admin/remote.php file with untrusted input until the issue is resolved.