COMMAND

    PHProjekt

SYSTEMS AFFECTED

    PHProjekt 2.0, 2.0.1, 2.1

PROBLEM

    PHProjekt is an open source  groupware suite written in PHP4  with
    mysql/postgres/oracle support.   The security  hole concernes  the
    file module.

    By adding the famous  ".." string to the  url one can have  access
    to other directories than the one which is specified in the config.

    The concerned releases are version 2.0, 2.0.1 and 2.1 of PHProjekt

    Credit goes to Daniel Wittenberg for founding this.

SOLUTION

    A patched version of the file is available under:

        http://www.phprojekt.com/download/patch-2.1.tar.gz

    or download the newest release from the homepage.