‘dotproject Remote File Access Vulnerability’


‘dotproject is a PHP+MySQL beta level web based project management and tracking tool that dotmarketing started in Dec. 2000. A vulnerability exists in a file named core.php that is found in the /locale/ directory. Because there is neither .htaccess set on this directory nor any security check in core.php, an attacker may call it directly and read local files with web server permissions.’


‘The information has been provided by Mindwarper.’


‘Here is the code of core.php:
@readfile( ‘$root_dir/locales/$AppUI->user_locale/common.inc’ );
@readfile( ‘$root_dir/locales/$AppUI->user_locale/$m.inc’ );

We can see that $root_dir is never defined before and may be injected if globals are on. An attacker may type in the browser the following URI:

Here %00 just ignores everything that comes after it so that the attack may be able to read any file on the server.

Please check the vendor’s website for new patches. As a temporary solution, create a .htaccess file that contains ‘Deny from all’. Place it in the /locale/ directory and that should block remote users from accessing it.’

Categories: UNIX