Vulnerabilities > CVE-2006-0756 - Unspecified vulnerability in Dotproject 2.0/2.0.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
dotproject
nessus

Summary

dotProject 2.0.1 and earlier leaves (1) phpinfo.php and (2) check.php accessible under the /docs/ directory after installation, which allows remote attackers to obtain sensitive configuration information. NOTE: the vendor disputes this issue, saying that it could only occur if the administrator ignores the installation instructions as well as warnings generated by check.php

Vulnerable Configurations

Part Description Count
Application
Dotproject
2

Nessus

NASL familyCGI abuses
NASL idDOTPROJECT_DOCS_DIR_INFO_DISCLOSURE.NASL
descriptionThe remote host is running dotProject, a web-based, open source, project management application written in PHP. The installed version of dotProject discloses sensitive information because it lets an unauthenticated attacker call scripts in the
last seen2020-06-01
modified2020-06-02
plugin id20926
published2006-02-15
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20926
titledotProject docs/ Directory Multiple Script Information Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20926);
  script_version("1.17");

  script_cve_id("CVE-2006-0756");

  script_name(english:"dotProject docs/ Directory Multiple Script Information Disclosure");
  script_summary(english:"Checks for docs directory information disclosure vulnerabilities in dotProject");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple information disclosure vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running dotProject, a web-based, open source,
project management application written in PHP. 

The installed version of dotProject discloses sensitive information
because it lets an unauthenticated attacker call scripts in the 'docs'
directory." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/424957/30/0/threaded" );
 # https://web.archive.org/web/20140606163236/http://www.dotproject.net/vbulletin/showthread.php?t=4462
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8153914" );
 script_set_attribute(attribute:"solution", value:
"Remove the application's 'doc' directory." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/15");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/14");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value: "cpe:/a:dotproject:dotproject");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0, php: 1);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/dotproject", "/dotProject", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Grab index.php.
  res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

  # It's dotProject if...
  if (
    # it looks like dotProject's index.php or...
    ' alt="dotProject logo"' >< res ||
    # it hasn't been installed yet.
    (
      "<meta http-equiv='refresh' content='5;" >< res &&
      "Click Here To Start Installation and Create One!" >< res
    )
  ) {
    # Try to run the application's phpinfo.php script.
    r = http_send_recv3(method: "GET", item:string(dir, "/docs/phpinfo.php"), port:port, exit_on_fail: 1);

    # There's a problem if it looks like the output of phpinfo().
    if ("PHP Version" >< r[2]) {
      security_warning(port);
      exit(0);
    }
  }
}