"With register_globals turned off none of these attacks are possible." So is there going to be a update to fix the insecure code or is your fix going to remain as so: (register globals must be off to run dotproject) /str0ke On 2/15/06, Adam Donnison <adam@xxxxxxxxxxx> wrote: > I responded to this yesterday, but for some reason it didn't make it to > the list. So, second try. > > r.verton@xxxxxxxxx wrote: > > dotproject <= 2.0.1 remote code execution > > ====================================== > [snip] > > Details: > > The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter. > > Some user-supplied input is not checked correctly so an attacker can include a remote php file and > > execute arbitrary phpcode or arbitrary system command via eval(). > > protection.php doesn't exist in dotProject. There is no 'siteurl' > parameter used anywhere in dotProject. > > > Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked. > > To exploit these vulnerables register_globals have to be set ON (default). > > Note that you state that register_globals must be turned ON, and you > state this is the default. register_globals has been deprecated in PHP > since 4.1.0 and the default has been OFF since 4.2.0. > > With register_globals turned off none of these attacks are possible. > Our installation instructions clearly state that register_globals is a > security risk and it should be turned off. Even the check.php script > you refer to later checks this and reports it as a security risk. > > > Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which > > disclose you some system informations: > > > > 1) /docs/phpinfo.php - A phpinfo() file. > > > > 2) /docs/check.php - Some more informations about the installed dotProject. > > Both of these files are provided for installation support. Neither of > them are required for the running of dotProject. The installation > instructions state that you should remove or secure this directory for > maximal security. They are provided in order to display that information. > > > Solution: > > Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess. > > And this is all explained in the installation instructions, where is the > need for this post? > > > Timeline: > > 24.01.2006 - Bugs found > > 26.01.2006 - Vendor Contacted > > Incorrect. You contacted us on 28th, (a Saturday), we discussed with > the devs and responded to you on the 2nd of Feb, which you fail to note > here, and you never got back to us. > > > 14.02.2006 - Publishing > > Adam > Lead developer and Admin, dotproject.net > -- > Adam Donnison email: adam@xxxxxxxxxxx > Saki Computer Services Pty. Ltd. > 93 Kallista-Emerald Road phone: +61 3 9752 1512 > THE PATCH VIC 3792 AUSTRALIA fax: +61 3 9752 1098 >
