CVE-2006-0755 Information

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier when register_globals is enabled allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php (2) db_connect.php (3) session.php (4) vw_usr_roles.php (5) calendar.php (6) date_format.php and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php (9) gantt2.php and (10) vw_files.php. NOTE: the vendor disputes this issue stating that the product documentation clearly recommends that the system administrator disable register_globals and that the check.php script warns against this setting. Also the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product.

Reference

http://secunia.com/advisories/18879 http://www.osvdb.org/23209 http://www.osvdb.org/23210 http://www.osvdb.org/23211 http://www.osvdb.org/23212 http://www.osvdb.org/23213 http://www.osvdb.org/23214 http://www.osvdb.org/23215 http://www.osvdb.org/23216 http://www.osvdb.org/23217 http://www.osvdb.org/23218 http://www.osvdb.org/23219 http://www.securityfocus.com/archive/1/424957/100/0/threaded http://www.securityfocus.com/archive/1/425285/100/0/threaded http://www.securityfocus.com/bid/16648 http://www.vupen.com/english/advisories/2006/0604 https://exchange.xforce.ibmcloud.com/vulnerabilities/24738 LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier when register_globals is enabled allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php (2) db_connect.php (3) session.php (4) vw_usr_roles.php (5) calendar.php (6) date_format.php and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php (9) gantt2.php and (10) vw_files.php. NOTE: the vendor disputes this issue stating that the product documentation clearly recommends that the system administrator disable register_globals and that the check.php script warns against this setting. Also the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product.