CVE-2009-4415

Name of the Vulnerable Software and Affected Versions phpGroupWare versions 0.9.16.12 through 0.9.16.013

Description The issue allows remote attackers to read arbitrary files or include and execute arbitrary local files. This can be achieved via the csvfile parameter to the "addressbook/csv import.php" endpoint, or the conv type parameter in "addressbook/inc/class.uiXport.inc.php".

Recommendations For phpGroupWare versions 0.9.16.12 through 0.9.16.013, consider restricting access to the "addressbook/csv import.php" and "addressbook/inc/class.uiXport.inc.php" files until a patch is available. As a temporary workaround, avoid using the csvfile and conv type parameters in the affected endpoints.