Re: dotproject <= 2.0.1 remote code execution

To: Adam Donnison <adam@xxxxxxxxxxx>
Subject: Re: dotproject <= 2.0.1 remote code execution
From: "milw0rm Inc." <milw0rm@xxxxxxxxx>
Date: Fri, 17 Feb 2006 15:12:33 -0600
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LWvFMwvnh9UnNXsA0J9eBzHgXPd2QcIpfmlv3h3feVPu4OB4CHeI+MTFI77C27shKdiCLBKVqj5N+of+FgPFYVx0oy0iO9U822WZUTIKryOtJ8ENsfKbNgJc2dH0OiMdtcUenU5IX31gq/czacIh79/1ahz2feF5q3viUjj4abE=
In-reply-to: <43F39B0D.8060200@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060214151107.9753.qmail@xxxxxxxxxxxxxxxxx> <43F39B0D.8060200@xxxxxxxxxxx>

"With register_globals turned off none of these attacks are possible."

So is there going to be a update to fix the insecure code or is your
fix going to remain as so:

(register globals must be off to run dotproject)

/str0ke

On 2/15/06, Adam Donnison <adam@xxxxxxxxxxx> wrote:
> I responded to this yesterday, but for some reason it didn't make it to
> the list.  So, second try.
>
> r.verton@xxxxxxxxx wrote:
> > dotproject <= 2.0.1 remote code execution
> > ======================================
> [snip]
> >       Details:
> >        The 'protection.php' script does not properly validate user-supplied 
> > input in the 'siteurl' parameter.
> >        Some user-supplied input is not checked correctly so an attacker can 
> > include a remote php file and
> >        execute arbitrary phpcode or arbitrary system command via eval().
>
> protection.php doesn't exist in dotProject.  There is no 'siteurl'
> parameter used anywhere in dotProject.
>
> >        Because there are over 10 Bugs I only post the vulnerable files + 
> > parameters which are not checked.
> >        To exploit these vulnerables register_globals have to be set ON 
> > (default).
>
> Note that you state that register_globals must be turned ON, and you
> state this is the default.  register_globals has been deprecated in PHP
> since 4.1.0 and the default has been OFF since 4.2.0.
>
> With register_globals turned off none of these attacks are possible.
> Our installation instructions clearly state that register_globals is a
> security risk and it should be turned off.  Even the check.php script
> you refer to later checks this and reports it as a security risk.
>
> >        Then, if the /doc/ directory is not deleted (default) you can access 
> > to two varoius files which
> >        disclose you some system informations:
> >
> >        1) /docs/phpinfo.php - A phpinfo() file.
> >
> >        2) /docs/check.php - Some more informations about the installed 
> > dotProject.
>
> Both of these files are provided for installation support.  Neither of
> them are required for the running of dotProject.  The installation
> instructions state that you should remove or secure this directory for
> maximal security.  They are provided in order to display that information.
>
> >       Solution:
> >        Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir 
> > with an htaccess.
>
> And this is all explained in the installation instructions, where is the
> need for this post?
>
> >       Timeline:
> >        24.01.2006 - Bugs found
> >        26.01.2006 - Vendor Contacted
>
> Incorrect.  You contacted us on 28th, (a Saturday), we discussed with
> the devs and responded to you on the 2nd of Feb, which you fail to note
> here, and you never got back to us.
>
> >        14.02.2006 - Publishing
>
> Adam
> Lead developer and Admin, dotproject.net
> --
> Adam Donnison                                  email: adam@xxxxxxxxxxx
> Saki Computer Services Pty. Ltd.
> 93 Kallista-Emerald Road                        phone: +61 3 9752 1512
> THE PATCH  VIC 3792    AUSTRALIA                fax:   +61 3 9752 1098
>

References:
- dotproject <= 2.0.1 remote code execution
  - From: r . verton
- Re: dotproject <= 2.0.1 remote code execution
  - From: Adam Donnison

Prev by Date: Re: Java script exploit
Next by Date: [ MDKSA-2006:041 ] - Updated bluez-hcidump packages fix buffer overflow vulnerability
Previous by thread: Re: dotproject <= 2.0.1 remote code execution
Next by thread: [ GLSA 200602-06 ] ImageMagick: Format string vulnerability
Index(es):
- Date
- Thread