2.0.1

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

dotproject

nessus

exploit available

NVD

Published: 2006-02-18

Updated: 2024-04-11

Summary

Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product

Vulnerable Configurations

Part	Description	Count
Application	Dotproject Dotproject Dotproject 2.0 Dotproject Dotproject 2.0.1	2

Exploit-Db

description	Dotproject 2.0 /includes/db_connect.php baseDir Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27218
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27218/
title	Dotproject 2.0 /includes/db_connect.php baseDir Remote File Inclusion

description	Dotproject 2.0 /modules/public/date_format.php baseDir Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27224
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27224/
title	Dotproject 2.0 /modules/public/date_format.php baseDir Parameter Remote File Inclusion

description	Dotproject 2.0 /includes/session.php baseDir Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27219
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27219/
title	Dotproject 2.0 /includes/session.php baseDir Parameter Remote File Inclusion

description	Dotproject 2.0 /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27225
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27225/
title	Dotproject 2.0 /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion

description	Dotproject 2.0 /modules/projects/gantt2.php dPconfig[root_dir] Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27220
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27220/
title	Dotproject 2.0 - /modules/projects/gantt2.php dPconfigroot_dir Parameter Remote File Inclusion

description	Dotproject 2.0 /modules/public/calendar.php baseDir Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27223
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27223/
title	Dotproject 2.0 /modules/public/calendar.php baseDir Parameter Remote File Inclusion

description	Dotproject 2.0 /modules/projects/vw_files.php dPconfig[root_dir] Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27221
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27221/
title	Dotproject 2.0 - /modules/projects/vw_files.php dPconfigroot_dir Parameter Remote File Inclusion

description	Dotproject 2.0 /modules/projects/gantt.php dPconfig[root_dir] Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27217
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27217/
title	Dotproject 2.0 - /modules/projects/gantt.php dPconfigroot_dir Parameter Remote File Inclusion

description	dotproject <= 2.1.6 - Remote File Inclusion Vulnerability. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:22708
last seen	2016-02-02
modified	2012-11-14
published	2012-11-14
reporter	dun
source	https://www.exploit-db.com/download/22708/
title	dotproject <= 2.1.6 - Remote File Inclusion Vulnerability

description	Dotproject 2.0 /modules/admin/vw_usr_roles.php baseDir Parameter Remote File Inclusion. CVE-2006-0755. Webapps exploit for php platform
id	EDB-ID:27222
last seen	2016-02-03
modified	2006-02-14
published	2006-02-14
reporter	r.verton
source	https://www.exploit-db.com/download/27222/
title	Dotproject 2.0 /modules/admin/vw_usr_roles.php baseDir Parameter Remote File Inclusion

Nessus

NASL family	CGI abuses
NASL id	DOTPROJECT_FILE_INCLUDES.NASL
description	The remote host is running dotProject, a web-based, open source, project management application written in PHP. The installed version of dotProject fails to sanitize input to various parameters and scripts before using it to include PHP code. Provided PHP
last seen	2020-06-01
modified	2020-06-02
plugin id	20925
published	2006-02-15
reporter	This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/20925
title	dotProject Multiple Scripts Remote File Inclusion
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20925); script_version("1.25"); script_cve_id("CVE-2006-0754", "CVE-2006-0755", "CVE-2006-4234"); script_bugtraq_id(16648, 19547); script_xref(name:"EDB-ID", value:"2191"); script_name(english:"dotProject Multiple Scripts Remote File Inclusion"); script_summary(english:"Checks for remote file include vulnerabilities in dotProject"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple remote file include vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running dotProject, a web-based, open source, project management application written in PHP. The installed version of dotProject fails to sanitize input to various parameters and scripts before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/424957/30/0/threaded" ); # https://web.archive.org/web/20140606163236/http://www.dotproject.net/vbulletin/showthread.php?t=4462 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8153914" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/425285/100/0/threaded" ); script_set_attribute(attribute:"solution", value: "Disable PHP's 'register_globals' setting as per the application's installation instructions." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:W/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/15"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/14"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value: "cpe:/a:dotproject:dotproject"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/dotproject", "/dotProject", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Try to exploit one of the flaws to read /etc/passwd. file = "/etc/passwd"; r = http_send_recv3(method: "GET", port: port, item:string( dir, "/includes/db_adodb.php?", "baseDir=", file, "%00" )); if (isnull(r)) exit(0); # There's a problem if... if ( # there's an entry for root or... egrep(pattern:"root:.:0:[01]:", string:r[2]) \|\| # we get an error saying "failed to open stream". egrep(pattern:"main\(/etc/passwd\\0/lib/adodb/adodb\.inc\.php.+ failed to open stream", string:r[2]) \|\| # we get an error claiming the file doesn't exist or... egrep(pattern:"main\(/etc/passwd\).: failed to open stream: No such file or directory", string:r[2]) \|\| # we get an error about open_basedir restriction. egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:r[2]) ) { if (egrep(string:r[2], pattern:"root:.*:0:[01]:")) contents = r[2] - strstr(r[2], "<br"); if (isnull(contents) \|\| !report_verbosity) security_hole(port); else { contents = data_protection::redact_etc_passwd(output:contents); report = string( "\n", "Here are the contents of the file '", file, "' that\n", "Nessus was able to read from the remote host :\n", "\n", contents ); security_hole(port:port, extra:report); } exit(0); } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References