Some vulnerabilities have been discovered in dotProject, which can be exploited by malicious people to disclose certain system information and compromise a vulnerable system.

1) Input passed to the "baseDir" parameter in "classes/query.class.php", "/includes/db_adodb.php", "/includes/db_connect.php", "/includes/session.php", "/modules/admin/vw_usr_roles.php", "/modules/public/calendar.php", and "/modules/public/date_format.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "dPconfig[root_dir]" parameter in "/modules/projects/gantt.php", "/modules/projects/gantt2.php", "/modules/projects/vw_files.php", and "/modules/tasks/gantt.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

Successful exploitation requires that "register_globals" is enabled.

3) It is possible to disclose system configuration information by accessing "/docs/phpinfo.php" and "/docs/check.php".

The vulnerabilities have been confirmed in versions 2.0.1 and 2.0.4. Other versions may also be affected.

Note: It is also possible to disclose path information when PHP "display_errors" is enabled by accessing files in the /db/ directory with certain parameters.

Solution
Update to version 2.1.2.

Provided and/or discovered by
Robin Verton

1) Robin Verton and Kacper

Changelog
Further details available in Customer Area

Deep Links
Links available in Customer Area