Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2006-0755

Disclosure Date: February 18, 2006 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

dotproject

Products

Weaknesses

NVD-CWE-Other

References

Canonical

CVE-2006-0755 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0755)

BID-16648 (http://www.securityfocus.com/bid/16648)

Advisory

20060214 dotproject <= 2.0.1 remote code execution (http://www.securityfocus.com/archive/1/424957/100/0/threaded)

OSVDB-23210 (http://www.osvdb.org/23210)

OSVDB-23216 (http://www.osvdb.org/23216)

OSVDB-23217 (http://www.osvdb.org/23217)

SECUNIA-18879 (http://secunia.com/advisories/18879)

OSVDB-23209 (http://www.osvdb.org/23209)

OSVDB-23212 (http://www.osvdb.org/23212)

OSVDB-23215 (http://www.osvdb.org/23215)

XF-dotproject-multiple-basedir-file-include(24738) (https://exchange.xforce.ibmcloud.com/vulnerabilities/24738)

OSVDB-23213 (http://www.osvdb.org/23213)

ADV-2006-0604 (http://www.vupen.com/english/advisories/2006/0604)

OSVDB-23214 (http://www.osvdb.org/23214)

OSVDB-23218 (http://www.osvdb.org/23218)

OSVDB-23211 (http://www.osvdb.org/23211)

OSVDB-23219 (http://www.osvdb.org/23219)

20060215 Re: dotproject <= 2.0.1 remote code execution (http://www.securityfocus.com/archive/1/425285/100/0/threaded)

Rapid7

Technical Analysis