#14 Vulnerability detected!

Interface (10)

There's serious flaw in the security of the phpcontacts
(v0.7.1 and maybe higher!) module: you can directly link
to the CSV-file of all contacts without logging in!

I accidently searched google with "cgk-bol.nl" (my
domain) and found out that one of the first links in
Google linked to the downloadable phpwscontacts CSV
file! (URL: http://www.phpwebsitemanual.com/index.php?
) It also happened while visiting other phpws-sites.

I tested my own site myself (v0.9.3-1) and I got
(luckily!) an error. Maybe because I used
phpwscontacts v0.7.1 in combination with the
pagemasterhack or other modules.



  • Anonymous - 2004-04-22

    Logged In: YES

    Rizzo(Don) acted real fast with this response:

    It's fixed in CVS. There will be a new release tonight when I
    get home. In the meantime anxious webmasters can add this
    to the beginning of the _exportCSV() function in

    if(!$this->_allow_anon_view && !$_SESSION["OBJ_user"]-
    >username) {
    $GLOBALS["CNT_phpwscontacts"]["title"] = $_SESSION
    ["translate"]->it("Anonymous Viewing Denied");
    $GLOBALS["CNT_phpwscontacts"]["content"] .= $_SESSION
    ["translate"]->it("Anonymous viewing of contact information
    has been disabled. You must log-in to view contacts.");
    return FALSE;

  • Anonymous - 2004-04-22
    • status: open --> open-works-for-me
  • Don Seiler

    Don Seiler - 2004-04-22

    Logged In: YES

    phpwsContacts 0.8.3 was released last night with this fix.
    I seriously recommend upgrading your phpWebSite core and
    phpwsContacts versions ASAP.

  • Don Seiler

    Don Seiler - 2004-04-22
    • status: open-works-for-me --> pending-fixed
  • Anonymous - 2004-04-22
    • status: pending-fixed --> open-fixed
  • Anonymous - 2004-04-22

    Logged In: YES

    And later on a real update :-)

    [Rizzo:] phpwsContacts 0.8.3 is released. You can download
    it from: http://sourceforge.net/project/shownotes.php?

  • Don Seiler

    Don Seiler - 2004-04-29
    • priority: 5 --> 8
    • assigned_to: nobody --> rizzo
    • status: open-fixed --> closed-fixed
  • Don Seiler

    Don Seiler - 2004-04-29

    Logged In: YES

    Thought I closed this. Doing so now.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks