[原文]PHP remote file inclusion vulnerability in tables_update.inc.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to execute arbitrary PHP code via an external URL in the appdir parameter.
phpGroupWare contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the tables_update.inc.php script not properly sanitizing input to the "appdir" variable. By providing an arbitrary PHP file on a remote system, an attacker can inject arbitrary commands to be run on the victim host.
Upgrade to version 0.9.14.006 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.