lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Feb 2006 08:20:13 +1100
From: Adam Donnison <adam@...i.com.au>
To: bugtraq@...urityfocus.com
Subject: Re: dotproject <= 2.0.1 remote code execution


I responded to this yesterday, but for some reason it didn't make it to 
the list.  So, second try.

r.verton@...il.com wrote:
> dotproject <= 2.0.1 remote code execution
> ======================================
[snip]
> 	Details:
> 	 The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter.
> 	 Some user-supplied input is not checked correctly so an attacker can include a remote php file and
> 	 execute arbitrary phpcode or arbitrary system command via eval().

protection.php doesn't exist in dotProject.  There is no 'siteurl' 
parameter used anywhere in dotProject.

> 	 Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked.
> 	 To exploit these vulnerables register_globals have to be set ON (default).

Note that you state that register_globals must be turned ON, and you 
state this is the default.  register_globals has been deprecated in PHP 
since 4.1.0 and the default has been OFF since 4.2.0.

With register_globals turned off none of these attacks are possible. 
Our installation instructions clearly state that register_globals is a 
security risk and it should be turned off.  Even the check.php script 
you refer to later checks this and reports it as a security risk.

> 	 Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which
> 	 disclose you some system informations:
> 
> 	 1) /docs/phpinfo.php - A phpinfo() file.
>  
> 	 2) /docs/check.php - Some more informations about the installed dotProject.

Both of these files are provided for installation support.  Neither of 
them are required for the running of dotProject.  The installation 
instructions state that you should remove or secure this directory for 
maximal security.  They are provided in order to display that information.

> 	Solution:
> 	 Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess.

And this is all explained in the installation instructions, where is the 
need for this post?

> 	Timeline:
> 	 24.01.2006 - Bugs found
> 	 26.01.2006 - Vendor Contacted

Incorrect.  You contacted us on 28th, (a Saturday), we discussed with 
the devs and responded to you on the 2nd of Feb, which you fail to note 
here, and you never got back to us.

> 	 14.02.2006 - Publishing

Adam
Lead developer and Admin, dotproject.net
-- 
Adam Donnison                                  email: adam@...i.com.au
Saki Computer Services Pty. Ltd.
93 Kallista-Emerald Road                        phone: +61 3 9752 1512
THE PATCH  VIC 3792    AUSTRALIA                fax:   +61 3 9752 1098

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ