BugTraq
dotproject <= 2.0.1 remote code execution Feb 14 2006 03:11PM
r verton gmail com (2 replies)
Re: dotproject <= 2.0.1 remote code execution Feb 15 2006 09:20PM
Adam Donnison (adam saki com au) (1 replies)
Re: dotproject <= 2.0.1 remote code execution Feb 17 2006 09:12PM
milw0rm Inc. (milw0rm gmail com)
Re: dotproject <= 2.0.1 remote code execution Feb 14 2006 09:54PM
Adam Donnison (adam saki com au)
I'm not sure I understand why this is a problem. As you have stated
register_globals must be set to on before any of this can be triggered.
In terms on register_globals being on by default, that hasn't been the
case in PHP for quite some time.

Also, I am intrigued by the claim that 'protection.php' is vulnerable.
There is no 'protection.php' anywhere in the dotProject tree.

As pointed out to you privately, the simple solution is to turn
register_globals off.

Adam Donnison
Admin - dotProject

r.verton (at) gmail (dot) com [email concealed] wrote:
> dotproject <= 2.0.1 remote code execution
> ======================================
>
> Software: dotProject <= 2.0.1
> Severity: Arbitrary code execution, Path/Information Disclosure
> Risk: High
> Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]>
> Date: Feb. 14 2006
> Vendor: dotproject.net [contacted]
>
> Description:
> dotProject is a volunteer supported Project Management application.
>
> Details:
> The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
> Some user-supplied input is not checked correctly so an attacker can include a remote php file and
> execute arbitrary phpcode or arbitrary system command via eval().
>
> Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
> To exploit these vulnerables register_globals have to be set ON (default).
>
> 1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]
>
> 2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]
>
> 3) /includes/session.php?baseDir=[REMOTE INCLUDE]
>
> 4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]
>
> 5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]
>
> 6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]
>
> 7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]
>
> 8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]
>
> 9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]
>
> 10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]
>
> There are also some path discolsure bugs:
>
> Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
> baseDir=foobar.
>
> Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
> disclose you some system informations:
>
> 1) /docs/phpinfo.php - A phpinfo() file.
>
> 2) /docs/check.php - Some more informations about the installed dotProject.
>
> Solution:
> Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.
>
> Timeline:
> 24.01.2006 - Bugs found
> 26.01.2006 - Vendor Contacted
> 14.02.2006 - Publishing
>
> Credits:
> Credits go to Robin Verton (r.verton [at] gmail [dot] com)
>

--
Adam Donnison email: adam (at) saki.com (dot) au [email concealed]
Saki Computer Services Pty. Ltd.
93 Kallista-Emerald Road phone: +61 3 9752 1512
THE PATCH VIC 3792 AUSTRALIA fax: +61 3 9752 1098

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus