dotproject Remote File Access Vulnerability

2003-01-28T00:00:00
ID SECURITYVULNS:DOC:4027
Type securityvulns
Reporter Securityvulns
Modified 2003-01-28T00:00:00

Description

dotproject Remote File Access Vulnerability ( By Mindwarper :: mindwarper@hush.com :: )

<------- ------->


Vendor Information:

Homepage : http://www.dotproject.net Vendor : informed Mailed advisory: 26/01/02 Vender Response : None


Affected Versions:

dev20030121 and prior


Vulnerability:

dotproject is a PHP+MySQL beta level web based project management and tracking tool that dotmarketing started in Dec. 2000. A Vulnerability exists in a file named core.php which is found in the /locale/ directory. Because there is no .htaccess set on this directory nor any security check in core.php, an attacker may call it directly and read local files with webserver permissions.

Here is the code of core.php:


<?php ob_start(); @readfile( "$root_dir/locales/$AppUI->user_locale/common.inc" ); @readfile( "$root_dir/locales/$AppUI->user_locale/$m.inc" );

..


We can see that $root_dir is never defined before and may be injected if globals are on. An attacker may type in the browser the following URI:

http://victim/dotproject/locales/core.php?root_dir=/file_or_dir_path/%00

Here %00 just ignores everything that comes after it so that the attack may be able to read any file on the server.


Solution:

Please check the vendor's website for new patches.

As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /locale/ directory and that should block remote users from accessing it.


Greetz:

ps, Truckle, Cyon, coobb, mary

<------- ------->

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427