| VID |
21838 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The dotProject program is vulnerable to information disclosure vulnerabilities which exist in versions prior to 2.0.1. dotProject is an open-source Web project management tool written in PHP. dotProject version 2.0.1 and possibly earlier versions leave the phpinfo.php and check.php scripts accessible under the /docs/ directory after installation, which could allow a remote attacker to obtain sensitive configuration information.
* References:
http://www.dotproject.net/vbulletin/showthread.php?t=4462
http://www.securityfocus.com/archive/1/424957/30/0/threaded
http://www.securityfocus.com/archive/1/425285/100/0/threaded
http://archives.neohapsis.com/archives/bugtraq/2006-02/0204.html
http://www.frsirt.com/english/advisories/2006/0604
http://secunia.com/advisories/18879
* Platforms Affected:
dotmarketing, Inc., dotProject version 2.0.1 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of February 2006.
Upgrade to a version of dotProject (greater than 2.0.1), when new version fixed this problem becomes available from the dotProject Web site at http://www.dotproject.net/
As a workaround, remove files from the "/docs" directory. |
| Related URL |
CVE-2006-0756 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
24745 (ISS) |
|
