<<< Date Index >>>     <<< Thread Index >>>

Re: dotproject <= 2.0.1 remote code execution



"With register_globals turned off none of these attacks are possible."

So is there going to be a update to fix the insecure code or is your
fix going to remain as so:

(register globals must be off to run dotproject)

/str0ke

On 2/15/06, Adam Donnison <adam@xxxxxxxxxxx> wrote:
> I responded to this yesterday, but for some reason it didn't make it to
> the list.  So, second try.
>
> r.verton@xxxxxxxxx wrote:
> > dotproject <= 2.0.1 remote code execution
> > ======================================
> [snip]
> >       Details:
> >        The 'protection.php' script does not properly validate user-supplied 
> > input in the 'siteurl' parameter.
> >        Some user-supplied input is not checked correctly so an attacker can 
> > include a remote php file and
> >        execute arbitrary phpcode or arbitrary system command via eval().
>
> protection.php doesn't exist in dotProject.  There is no 'siteurl'
> parameter used anywhere in dotProject.
>
> >        Because there are over 10 Bugs I only post the vulnerable files + 
> > parameters which are not checked.
> >        To exploit these vulnerables register_globals have to be set ON 
> > (default).
>
> Note that you state that register_globals must be turned ON, and you
> state this is the default.  register_globals has been deprecated in PHP
> since 4.1.0 and the default has been OFF since 4.2.0.
>
> With register_globals turned off none of these attacks are possible.
> Our installation instructions clearly state that register_globals is a
> security risk and it should be turned off.  Even the check.php script
> you refer to later checks this and reports it as a security risk.
>
> >        Then, if the /doc/ directory is not deleted (default) you can access 
> > to two varoius files which
> >        disclose you some system informations:
> >
> >        1) /docs/phpinfo.php - A phpinfo() file.
> >
> >        2) /docs/check.php - Some more informations about the installed 
> > dotProject.
>
> Both of these files are provided for installation support.  Neither of
> them are required for the running of dotProject.  The installation
> instructions state that you should remove or secure this directory for
> maximal security.  They are provided in order to display that information.
>
> >       Solution:
> >        Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir 
> > with an htaccess.
>
> And this is all explained in the installation instructions, where is the
> need for this post?
>
> >       Timeline:
> >        24.01.2006 - Bugs found
> >        26.01.2006 - Vendor Contacted
>
> Incorrect.  You contacted us on 28th, (a Saturday), we discussed with
> the devs and responded to you on the 2nd of Feb, which you fail to note
> here, and you never got back to us.
>
> >        14.02.2006 - Publishing
>
> Adam
> Lead developer and Admin, dotproject.net
> --
> Adam Donnison                                  email: adam@xxxxxxxxxxx
> Saki Computer Services Pty. Ltd.
> 93 Kallista-Emerald Road                        phone: +61 3 9752 1512
> THE PATCH  VIC 3792    AUSTRALIA                fax:   +61 3 9752 1098
>