Document Title: =============== dotProject GW v2.1.5 - Multiple SQL Injection Vulnerabilities Release Date: ============= 2011-07-24 Vulnerability Laboratory ID (VL-ID): ==================================== 83 Product & Service Introduction: =============================== dotProject is a PHP web-based project management framework that includes modules for companies, projects, tasks (with Gantt charts), forums, files, calendar, contacts, tickets/helpdesk, multi-language support, user/module permissions and themes.dotProject is a volunteer supported Project Management application. There is no company behind this project, it is managed, maintained, developed and supported by a volunteer group and by the users themselves. For more about the product, what it does, etc please follow the links to the doc site at the top of site. The software is free to anyone who would like to download it. Day to day support is provided free by volunteers. If you would like to see the system in operation - use the Demo link in the modules list to the left top of the site. If you would like to download the package use the downloads link on the top right. Please be aware that the CVS snapshot is guaranteed to be UNSTABLE and should not be used on a production site or if you are not willing to have to do some work at the code level. If you are looking for support, to ask a question or to check to see if issues have been raised by others - use the support link at the top right to access our support forums. PLEASE do not send Private Messages to the site admins or other participants on the site - this just means that you are trying to jump the priority queue, that any answers you received are selfishly then not shared with the rest of the user community OR that you may ask the wrong person who cannot help you. Priority Support is available at a cost - login to the support forums and use your UserCP from there to Subscription details and pricing. (Copy of the Vendor Website: http://www.dotproject.net/) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered multiple SQL-Injection Vulnerabilities on Groupwares dotProject CMS. Vulnerability Disclosure Timeline: ================================== 2011-00-00: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-00-00: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple SQL Injection vulnerabilities are detected on the dotProject content management system . The vulnerability allows an attacker to compromise the affected vulnerable application dbms. Vulnerable Module(s): [+] ?m=admin&a=viewuser&user_id= [+] ?m=contacts&a=select_contact_company&dialog=1&table_name= 1.1 --- SQL Error Logs --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \\ FROM ( `-1 ) at line 1 1.2 --- SQL Error Logs --- ERROR: /home/xxx/public_html/demo/dotproject/includes/db_adodb.php(66): Error executing: SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1) Backtrace: 0 /home/opencms/public_html/demo/dotproject/includes/db_adodb.php:66 dprint(\\ home/xxx/public_html/demo/dotproject/ includes/db_adodb.php\\ ,66,0,Error executing: SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1) ) 1 /home/xxx/public_html/demo/dotproject/includes/db_connect.php:103 db_exec(\\ SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 ) 2 /home/opencms/public_html/demo/dotproject/modules/admin/viewuser.php:62 db_loadHash( SELECT u.*,con.*, company_id, company_name, dept_name, dept_id FROM ( `users` as u ) LEFT JOIN `contacts` AS con ON user_contact = contact_id LEFT JOIN `companies` AS com ON contact_company = company_id LEFT JOIN `departments` AS dep ON dept_id = contact_department WHERE u.user_id = -1 \\ NULL) 3 /home/opencms/public_html/demo/dotproject/index.php:299 require( home/xxx/public_html/demo/dotproject/modules/admin/viewuser.php\\ ) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1 Pictures: ../dotproject1.png ../dotproject2.png Proof of Concept (PoC): ======================= The sql vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... Path: ../dotproject/ File: index.php Para: ?m=contacts&a=select_contact_company&dialog=1&table_name= Para: index.php?m=admin&a=viewuser&user_id= PoC: http://23.xxx.com/dotproject/index.php?m=contacts&a=select_contact_company&dialog=1&table_name=[SQL-Injection]&company_id=0 http://23.xxx.com/dotproject/index.php?m=admin&a=viewuser&user_id=[SQL-Injection]&tab=3 Solution - Fix & Patch: ======================= Use prepared statements & escape the inserted statements to fix the sql injection vulnerability. Security Risk: ============== The security risk of the sql vulnerabilities are estimated as high. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory