‘dotproject Remote File Access Vulnerability’

Summary

‘dotproject is a PHP+MySQL beta level web based project management and tracking tool that dotmarketing started in Dec. 2000. A vulnerability exists in a file named core.php that is found in the /locale/ directory. Because there is neither .htaccess set on this directory nor any security check in core.php, an attacker may call it directly and read local files with web server permissions.’

Credit:

‘The information has been provided by Mindwarper.’


Details

‘Here is the code of core.php:
********
<?php
ob_start();
@readfile( ‘$root_dir/locales/$AppUI->user_locale/common.inc’ );
@readfile( ‘$root_dir/locales/$AppUI->user_locale/$m.inc’ );
..
********

We can see that $root_dir is never defined before and may be injected if globals are on. An attacker may type in the browser the following URI:
http://victim/dotproject/locales/core.php?root_dir=/file_or_dir_path/%00

Here %00 just ignores everything that comes after it so that the attack may be able to read any file on the server.

Solution:
Please check the vendor’s website for new patches. As a temporary solution, create a .htaccess file that contains ‘Deny from all’. Place it in the /locale/ directory and that should block remote users from accessing it.’

Categories: UNIX