dotproject <= 2.0.1 remote code execution

Type securityvulns
Reporter Securityvulns
Modified 2006-02-15T00:00:00


dotproject <= 2.0.1 remote code execution

    Software: dotProject &lt;= 2.0.1
    Severity: Arbitrary code execution, Path/Information Disclosure
    Risk: High
    Author: Robin Verton &lt;;
    Date: Feb. 14 2006
    Vendor: [contacted]

     dotProject is a volunteer supported Project Management application.

     The &#39;protection.php&#39; script does not properly validate user-supplied input in the &#39;siteurl&#39;

parameter. Some user-supplied input is not checked correctly so an attacker can include a remote php file and execute arbitrary phpcode or arbitrary system command via eval().

     Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
     To exploit these vulnerables register_globals have to be set ON &#40;default&#41;.

     1&#41; /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]

     2&#41; /includes/db_connect.php?baseDir=[REMOTE INCLUDE]

     3&#41; /includes/session.php?baseDir=[REMOTE INCLUDE]

     4&#41; /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     5&#41; /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     6&#41; /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]

     7&#41; /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]

     8&#41; /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]

     9&#41; /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]

     10&#41; /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

     There are also some path discolsure bugs:

     Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter

     Then, if the /doc/ directory is not deleted &#40;default&#41; you can access to two varoius files which
     disclose you some system informations:

     1&#41; /docs/phpinfo.php - A phpinfo&#40;&#41; file.

     2&#41; /docs/check.php - Some more informations about the installed dotProject.

     Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

     24.01.2006 - Bugs found
     26.01.2006 - Vendor Contacted
     14.02.2006 - Publishing

     Credits go to Robin Verton &#40;r.verton [at] gmail [dot] com&#41;