CaseySoftware, LLC - Supporters & Developers of web2project | Connecting Developers, Building Worlds

Items of Interest

Links of Interest

PHP'ers:
Ben Ramsey
Brandon Savage
Cal Evans
Chris Shiflett
Eli White
Elizabeth Naramore
Joe LeBlanc
Justin Thorp
Matthew Weier O'Phinney
Rasmus Lerdorf
Tony Bibbs
Zend Blogs
Zend DevZone

DC Social Media:
Aaron Brazell
Jessie X
Ken Yeung
New Media Jim
Shashi B
Social Times

Technologists:
Jimmy Gardner
O'Reilly Radar
Scott Berkun
Steve McConnell

Business/mISV:
Bob Walsh
Eric Sink
Gavin Bowman
Guy Kawasaki
Joel Spolsky
Micah Baldwin
Paul Graham
Planet mISV

Past Projects:
CodeSnipers
HOBY
Judicial Watch
mobile Fox Affiliates
mobile FoxNews.com
MyDearJohnLetter
NRTW
techRepublican

Great Tools I use:
BaseCamp
Drupal
getClicky
Highrise
phpUnit
Qcodo
Subversion
web2Project
Zend Framework

Search

This is not the home of dotProject. It is the home of CaseySoftware, LLC. Any dotProject support questions should be referred to their support forums.

Recent blog posts

Popular content

Today's:

Last viewed:

Vulnerability Disclosure / dotProject

Tags: dotProject

News

PHP

Project Management

security

vulnerabilities

web2project

Date: 30 July, 2008 - 08:00

In the past week, a few people have called me to task about referencing the dotProject vulnerability in the Project Importer Release and Risk Management Module update without giving details or even proof. Since the release of the fix (dotProject 2.1.2), I finally feel that it is appropriate to discuss this in detail.

First of all, congrats to the dotProject team on the latest release. Rolling a release is always a painful thing and coordinating the pieces it takes for a successful Open Source project - and more importantly - and solid community is difficult by all measures.

Next, yes, I waited to release the details of this vulnerability to the general public. I believe this is entirely appropriate and preferred by existing dotProject users. Although I was not the person to discover it - it was a previous customer of CaseySoftware - upon validation, I passed it along to both the current web2project team and the dotProject team to give everyone time to respond before knowledge of the vulnerability became widespread. I believe thisis the only appropriate way to respond.

And now on with the juicy stuff... the vulnerability:

Before I go any further, please ensure that you have upgraded your installation of dotProject and/or web2project. The dotProject release on 29 July resolves this and web2project has been protected since r168 (20 May).

In simple terms, the Secunia writeup submitted by Jonathan Parish is completely and entirely correct but it only scratches the surface of the problem.

dotProject - and previously web2project - were not revalidating your permissions to perform an action when you actually attempted the action. It doesn't take much to see how this could be a problem.

All of that said, there is one large barrier to prevent this from being too damaging: To perform any actions, you must have an active User session. Therefore, you are protected from some random person passing by, but hugely at risk from your own users.

The only fix for this... upgrade to dotProject 2.1.2 immediately. The first official release of web2project will have this included and if you've downloaded the code since 20 May 2008, you're already covered.

Keith Casey's blog

Add new comment

Read more

Site Navigation