dotproject <= 2.0.1 remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: dotproject <= 2.0.1 remote code execution
From: r.verton@xxxxxxxxx
Date: 14 Feb 2006 15:11:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

dotproject <= 2.0.1 remote code execution
======================================

        Software: dotProject <= 2.0.1
        Severity: Arbitrary code execution, Path/Information Disclosure
        Risk: High
        Author: Robin Verton <r.verton@xxxxxxxxx>
        Date: Feb. 14 2006
        Vendor: dotproject.net [contacted]

        Description:
         dotProject is a volunteer supported Project Management application.

        Details:
         The 'protection.php' script does not properly validate user-supplied 
input in the 'siteurl' parameter.
         Some user-supplied input is not checked correctly so an attacker can 
include a remote php file and
         execute arbitrary phpcode or arbitrary system command via eval().

         Because there are over 10 Bugs I only post the vulnerable files + 
parameters which are not checked.
         To exploit these vulnerables register_globals have to be set ON 
(default).

         1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE]
 
         2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE]
 
         3) /includes/session.php?baseDir=[REMOTE INCLUDE]
         
         4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
         5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
         6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE]
 
         7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE]
 
         8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE]
 
         9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE]
 
         10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE]

         There are also some path discolsure bugs:

         Nearly ALL files in /db/ give out some nice php-errors by accessing 
them directly with the parameter
         baseDir=foobar.

         Then, if the /doc/ directory is not deleted (default) you can access 
to two varoius files which
         disclose you some system informations:

         1) /docs/phpinfo.php - A phpinfo() file.
 
         2) /docs/check.php - Some more informations about the installed 
dotProject.

        Solution:
         Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir 
with an htaccess.

        Timeline:
         24.01.2006 - Bugs found
         26.01.2006 - Vendor Contacted
         14.02.2006 - Publishing

        Credits:
         Credits go to Robin Verton (r.verton [at] gmail [dot] com)

Follow-Ups:
- Re: dotproject <= 2.0.1 remote code execution
  - From: Adam Donnison
- Re: dotproject <= 2.0.1 remote code execution
  - From: Adam Donnison

Prev by Date: [waraxe-2006-SA#044] - XSS in phpNuke 7.8 and older versions
Next by Date: [ GLSA 200602-06 ] ImageMagick: Format string vulnerability
Previous by thread: [waraxe-2006-SA#044] - XSS in phpNuke 7.8 and older versions
Next by thread: Re: dotproject <= 2.0.1 remote code execution
Index(es):
- Date
- Thread