dotProject core.php Read Arbitrary File

2003-01-26T00:00:00
ID OSVDB:3593
Type osvdb
Reporter OSVDB
Modified 2003-01-26T00:00:00

Description

Vulnerability Description

dotProject contains a flaw that allows a remote attacker to read arbitrary files. The issue is due to the core.php script calling the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary file or directory, terminate the request with %00, and have the file displayed.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

dotProject contains a flaw that allows a remote attacker to read arbitrary files. The issue is due to the core.php script calling the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary file or directory, terminate the request with %00, and have the file displayed.

Manual Testing Notes

http://[victim]/dotproject/locales/core.php?root_dir=/file_or_dir_path/%00

References:

Vendor URL: http://www.dotproject.net/ Secunia Advisory ID:7961 Related OSVDB ID: 3592 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-01/0320.html ISS X-Force ID: 11174