|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 434 CVE : CVE-2006-0756 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Robin Verton Published : 16.02.2006
Advisory Content : dotproject <= 2.0.1 remote code execution ====================================== Software: dotProject <= 2.0.1 Severity: Arbitrary code execution, Path/Information Disclosure Risk: High Author: Robin Verton <r.verton (at) gmail (dot) com [email concealed]> Date: Feb. 14 2006 Vendor: dotproject.net [contacted] Description: dotProject is a volunteer supported Project Management application. Details: The 'protection.php' script does not properly validate user-supplied input in the 'siteurl' parameter. Some user-supplied input is not checked correctly so an attacker can include a remote php file and execute arbitrary phpcode or arbitrary system command via eval(). Because there are over 10 Bugs I only post the vulnerable files + parameters which are not checked. To exploit these vulnerables register_globals have to be set ON (default). 1) /includes/db_adodb.php?baseDir=[REMOTE INCLUDE] 2) /includes/db_connect.php?baseDir=[REMOTE INCLUDE] 3) /includes/session.php?baseDir=[REMOTE INCLUDE] 4) /modules/projects/gantt.php?dPconfig[root_dir]=[REMOTE INCLUDE] 5) /modules/projects/gantt2.php?dPconfig[root_dir]=[REMOTE INCLUDE] 6) /modules/projects/vw_files.php?dPconfig[root_dir]=[REMOTE INCLUDE] 7) /modules/admin/vw_usr_roles.php?baseDir=[REMOTE INCLUDE] 8) /modules/public/calendar.php?baseDir=[REMOTE INCLUDE] 9) /modules/public/date_format.php?baseDir=[REMOTE INCLUDE] 10) /modules/tasks/gantt.php?baseDir=[REMOTE INCLUDE] There are also some path discolsure bugs: Nearly ALL files in /db/ give out some nice php-errors by accessing them directly with the parameter baseDir=foobar. Then, if the /doc/ directory is not deleted (default) you can access to two varoius files which disclose you some system informations: 1) /docs/phpinfo.php - A phpinfo() file. 2) /docs/check.php - Some more informations about the installed dotProject. Solution: Turn register_globals OFF, delete the /docs/ dir and cover /db/ dir with an htaccess. Timeline: 24.01.2006 - Bugs found 26.01.2006 - Vendor Contacted 14.02.2006 - Publishing Credits: Credits go to Robin Verton (r.verton [at] gmail [dot] com)  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |