Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

dotProject GW v2.1.5 - Multiple SQL Injection Vulnerabilities

🗓️ 24 Jul 2011 00:00:00Reported by Vulnerability Research LaboratoryType 
vulnerlab
 vulnerlab🔗 www.vulnerability-lab.com👁 73 Views

dotProject GW v2.1.5 - Multiple SQL Injection Vulnerabilities on Groupwares CMS. High severity remote exploitation technique

Code
Document Title:
===============
dotProject GW v2.1.5 - Multiple SQL Injection Vulnerabilities



Release Date:
=============
2011-07-24


Vulnerability Laboratory ID (VL-ID):
====================================
83


Product & Service Introduction:
===============================
dotProject is a PHP web-based project management framework that includes modules for companies, projects, 
tasks (with Gantt charts), forums, files, calendar, contacts, tickets/helpdesk, multi-language 
support, user/module permissions and themes.dotProject is a volunteer supported Project Management application. There is no 
 company  behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves.

For more about the product, what it does, etc please follow the links to the doc site at the top of site. The software is free to 
anyone who would like to download it. Day to day support is provided free by volunteers. If you would like to see the system in 
operation - use the Demo link in the modules list to the left top of the site. If you would like to download the package use the downloads 
link on the top right. Please be aware that the CVS snapshot is guaranteed to be UNSTABLE and should not be used on a production site or 
if you are not willing to have to do some work at the code level.

If you are looking for support, to ask a question or to check to see if issues have been raised by others - use the support link at the 
top right to access our support forums. PLEASE do not send Private Messages to the site admins or other participants on the site - this 
just means that you are trying to jump the priority queue, that any answers you received are selfishly then not shared with the rest 
of the user community OR that you may ask the wrong person who cannot help you. Priority Support is available at a cost - login to the 
support forums and use your UserCP from there to Subscription details and pricing.

(Copy of the Vendor Website: http://www.dotproject.net/)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple SQL-Injection Vulnerabilities on Groupwares dotProject CMS.


Vulnerability Disclosure Timeline:
==================================
2011-00-00:	Vendor Notification
2011-00-00:	Vendor Response/Feedback
2011-00-00:	Vendor Fix/Patch
2011-00-00:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple SQL Injection vulnerabilities are detected on the dotProject content management system .
The vulnerability allows an attacker to compromise the affected vulnerable application dbms. 

Vulnerable Module(s):
				[+] ?m=admin&a=viewuser&user_id=
				[+] ?m=contacts&a=select_contact_company&dialog=1&table_name=



1.1
--- SQL Error Logs ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for 
the right syntax to use near \\  FROM ( `-1  )  at line 1

1.2
--- SQL Error Logs ---
ERROR: /home/xxx/public_html/demo/dotproject/includes/db_adodb.php(66): Error executing: 
SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` 
AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN 
`departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 

 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for 
the right syntax to use near   at line 1)

Backtrace:
0 /home/opencms/public_html/demo/dotproject/includes/db_adodb.php:66 dprint(\\ home/xxx/public_html/demo/dotproject/
includes/db_adodb.php\\ ,66,0,Error executing: 

SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON 
user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN `departments` AS dep 
ON dept_id = contact_department WHERE u.user_id = -1  

 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax 
to use near  at line 1) )
1 /home/xxx/public_html/demo/dotproject/includes/db_connect.php:103 db_exec(\\ SELECT u.*,con.*, company_id, company_name, 
dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com 
ON contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1  )
2 /home/opencms/public_html/demo/dotproject/modules/admin/viewuser.php:62 db_loadHash( SELECT u.*,con.*, company_id, company_name, 
dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON 
contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 \\ NULL)
3 /home/opencms/public_html/demo/dotproject/index.php:299 require( home/xxx/public_html/demo/dotproject/modules/admin/viewuser.php\\ )

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to 
use near  at line 1



Pictures: 
		           ../dotproject1.png
		           ../dotproject2.png


Proof of Concept (PoC):
=======================
The sql vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...

Path:		../dotproject/
File:		index.php
Para:		?m=contacts&a=select_contact_company&dialog=1&table_name=
Para:		index.php?m=admin&a=viewuser&user_id=

PoC:
http://23.xxx.com/dotproject/index.php?m=contacts&a=select_contact_company&dialog=1&table_name=[SQL-Injection]&company_id=0
http://23.xxx.com/dotproject/index.php?m=admin&a=viewuser&user_id=[SQL-Injection]&tab=3


Solution - Fix & Patch:
=======================
Use prepared statements & escape the inserted statements to fix the sql injection vulnerability.


Security Risk:
==============
The security risk of the sql vulnerabilities are estimated as high.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2011 00:00Current
7.1High risk
Vulners AI Score7.1
dotproject gw v2.1.5multiple sql injectionhigh severityremotevulnerabilitygroupwares cms
73