Summary
The host is installed with NullLogic Groupware and is prone to multiple vulnerabilities.
Impact
Attackers can exploit this issue to execute arbitrary SQL quries in the context of affected application, and can cause buffer overflow or denial of service.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
Multiple flaws occur because,
- The 'auth_checkpass' function in the login page does not validate the input passed into the username parameter.
- An error in the 'fmessagelist' function in the forum module when processing a group name containing a non-numeric string or is an empty string.
- Multiple stack-based buffer overflows occurs in the 'pgsqlQuery' function while processing malicious input to POP3, SMTP or web component that triggers a long SQL query when PostgreSQL is used.
Affected
NullLogic Groupware 1.2.7 and prior on all platforms.
References
Severity
Classification
-
CVE CVE-2009-2354, CVE-2009-2355, CVE-2009-2356 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe Flash Player 9.0.115.0 and earlier vulnerability (Lin)
- Adobe Extension Manager CS5 Insecure Library Loading Vulnerability (Win)
- Active Perl Locale::Maketext Module Multiple Code Injection Vulnerabilities (Windows)
- Adobe Air Remote Code Execution Vulnerability -June13 (Mac OS X)
- Adobe AIR Multiple Vulnerabilities-01 Jun14 (Windows)