Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11440
HistoryFeb 15, 2006 - 12:00 a.m.

dotproject <= 2.0.1 remote code execution

2006-02-1500:00:00
vulners.com
41
JSON

dotproject <= 2.0.1 remote code execution

    Software: dotProject &lt;= 2.0.1
    Severity: Arbitrary code execution, Path/Information Disclosure
    Risk: High
    Author: Robin Verton &lt;[email protected]&gt;
    Date: Feb. 14 2006
    Vendor: dotproject.net [contacted]

    Description:
     dotProject is a volunteer supported Project Management application.

    Details:
     The &#39;protection.php&#39; script does not properly validate user-supplied input in the &#39;siteurl&#39;

parameter.
Some user-supplied input is not checked correctly so an attacker can include a remote php file and
execute arbitrary phpcode or arbitrary system command via eval().

     Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
     To exploit these vulnerables register_globals have to be set ON &#40;default&#41;.

     1&#41; /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]

     2&#41; /includes/db_connect.php?baseDir=[REMOTE INCLUDE]

     3&#41; /includes/session.php?baseDir=[REMOTE INCLUDE]
     
     4&#41; /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     5&#41; /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     6&#41; /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     7&#41; /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]

     8&#41; /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]

     9&#41; /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]

     10&#41; /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

     There are also some path discolsure bugs:

     Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
     baseDir=foobar.

     Then, if the /doc/ directory is not deleted &#40;default&#41; you can access to two varoius files which
     disclose you some system informations:

     1&#41; /docs/phpinfo.php - A phpinfo&#40;&#41; file.

     2&#41; /docs/check.php - Some more informations about the installed dotProject.

    Solution:
     Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

    Timeline:
     24.01.2006 - Bugs found
     26.01.2006 - Vendor Contacted
     14.02.2006 - Publishing

    Credits:
     Credits go to Robin Verton &#40;r.verton [at] gmail [dot] com&#41;
JSON