Re: dotproject <= 2.0.1 remote code execution
"With register_globals turned off none of these attacks are possible."
So is there going to be a update to fix the insecure code or is your
fix going to remain as so:
(register globals must be off to run dotproject)
/str0ke
On 2/15/06, Adam Donnison <adam@xxxxxxxxxxx> wrote:
> I responded to this yesterday, but for some reason it didn't make it to
> the list. So, second try.
>
> r.verton@xxxxxxxxx wrote:
> > dotproject <= 2.0.1 remote code execution
> > ======================================
> [snip]
> > Details:
> > The 'protection.php' script does not properly validate user-supplied
> > input in the 'siteurl' parameter.
> > Some user-supplied input is not checked correctly so an attacker can
> > include a remote php file and
> > execute arbitrary phpcode or arbitrary system command via eval().
>
> protection.php doesn't exist in dotProject. There is no 'siteurl'
> parameter used anywhere in dotProject.
>
> > Because there are over 10 Bugs I only post the vulnerable files +
> > parameters which are not checked.
> > To exploit these vulnerables register_globals have to be set ON
> > (default).
>
> Note that you state that register_globals must be turned ON, and you
> state this is the default. register_globals has been deprecated in PHP
> since 4.1.0 and the default has been OFF since 4.2.0.
>
> With register_globals turned off none of these attacks are possible.
> Our installation instructions clearly state that register_globals is a
> security risk and it should be turned off. Even the check.php script
> you refer to later checks this and reports it as a security risk.
>
> > Then, if the /doc/ directory is not deleted (default) you can access
> > to two varoius files which
> > disclose you some system informations:
> >
> > 1) /docs/phpinfo.php - A phpinfo() file.
> >
> > 2) /docs/check.php - Some more informations about the installed
> > dotProject.
>
> Both of these files are provided for installation support. Neither of
> them are required for the running of dotProject. The installation
> instructions state that you should remove or secure this directory for
> maximal security. They are provided in order to display that information.
>
> > Solution:
> > Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir
> > with an htaccess.
>
> And this is all explained in the installation instructions, where is the
> need for this post?
>
> > Timeline:
> > 24.01.2006 - Bugs found
> > 26.01.2006 - Vendor Contacted
>
> Incorrect. You contacted us on 28th, (a Saturday), we discussed with
> the devs and responded to you on the 2nd of Feb, which you fail to note
> here, and you never got back to us.
>
> > 14.02.2006 - Publishing
>
> Adam
> Lead developer and Admin, dotproject.net
> --
> Adam Donnison email: adam@xxxxxxxxxxx
> Saki Computer Services Pty. Ltd.
> 93 Kallista-Emerald Road phone: +61 3 9752 1512
> THE PATCH VIC 3792 AUSTRALIA fax: +61 3 9752 1098
>