Re: dotproject <= 2.0.1 remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: dotproject <= 2.0.1 remote code execution
From: Adam Donnison <adam@xxxxxxxxxxx>
Date: Thu, 16 Feb 2006 08:20:13 +1100
In-reply-to: <20060214151107.9753.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Saki Computer Services
References: <20060214151107.9753.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)

I responded to this yesterday, but for some reason it didn't make it tothe list. So, second try.


r.verton@xxxxxxxxx wrote:

dotproject <= 2.0.1 remote code execution
======================================

[snip]

        Details:
         The 'protection.php' script does not properly validate user-supplied 
input in the 'siteurl' parameter.
         Some user-supplied input is not checked correctly so an attacker can 
include a remote php file and
         execute arbitrary phpcode or arbitrary system command via eval().

protection.php doesn't exist in dotProject. There is no 'siteurl'parameter used anywhere in dotProject.

         Because there are over 10 Bugs I only post the vulnerable files + 
parameters which are not checked.
         To exploit these vulnerables register_globals have to be set ON 
(default).

Note that you state that register_globals must be turned ON, and youstate this is the default. register_globals has been deprecated in PHPsince 4.1.0 and the default has been OFF since 4.2.0.

With register_globals turned off none of these attacks are possible.Our installation instructions clearly state that register_globals is asecurity risk and it should be turned off. Even the check.php scriptyou refer to later checks this and reports it as a security risk.

         Then, if the /doc/ directory is not deleted (default) you can access 
to two varoius files which
         disclose you some system informations:

         1) /docs/phpinfo.php - A phpinfo() file.

2) /docs/check.php - Some more informations about the installed dotProject.

Both of these files are provided for installation support. Neither ofthem are required for the running of dotProject. The installationinstructions state that you should remove or secure this directory formaximal security. They are provided in order to display that information.

        Solution:
         Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir 
with an htaccess.

And this is all explained in the installation instructions, where is theneed for this post?

        Timeline:
         24.01.2006 - Bugs found
         26.01.2006 - Vendor Contacted

Incorrect. You contacted us on 28th, (a Saturday), we discussed withthe devs and responded to you on the 2nd of Feb, which you fail to notehere, and you never got back to us.

         14.02.2006 - Publishing


Adam
Lead developer and Admin, dotproject.net
--
Adam Donnison                                  email: adam@xxxxxxxxxxx
Saki Computer Services Pty. Ltd.
93 Kallista-Emerald Road                        phone: +61 3 9752 1512
THE PATCH  VIC 3792    AUSTRALIA                fax:   +61 3 9752 1098

Follow-Ups:
- Re: dotproject <= 2.0.1 remote code execution
  - From: milw0rm Inc.

References:
- dotproject <= 2.0.1 remote code execution
  - From: r . verton

Prev by Date: Re: Digital Armaments Security Advisory 02.14.2006: Gallery web-based photo gallery remote file execution
Next by Date: [SECURITY] [DSA 978-1] New GnuPG packages fix invalid success return
Previous by thread: Re: dotproject <= 2.0.1 remote code execution
Next by thread: Re: dotproject <= 2.0.1 remote code execution
Index(es):
- Date
- Thread