In the past week, a few people have called me to task about referencing the dotProject vulnerability in the Project Importer Release and Risk Management Module update without giving details or even proof. Since the release of the fix (dotProject 2.1.2), I finally feel that it is appropriate to discuss this in detail.
First of all, congrats to the dotProject team on the latest release. Rolling a release is always a painful thing and coordinating the pieces it takes for a successful Open Source project – and more importantly – and solid community is difficult by all measures.
Next, yes, I waited to release the details of this vulnerability to the general public. I believe this is entirely appropriate and preferred by existing dotProject users. Although I was not the person to discover it – it was a previous customer of CaseySoftware – upon validation, I passed it along to both the current web2project team and the dotProject team to give everyone time to respond before knowledge of the vulnerability became widespread. I believe thisis the only appropriate way to respond.
And now on with the juicy stuff… the vulnerability:
Before I go any further, please ensure that you have upgraded your installation of dotProject and/or web2project. The dotProject release on 29 July resolves this and web2project has been protected since r168 (20 May).
In simple terms, the Secunia writeup submitted by Jonathan Parish is completely and entirely correct but it only scratches the surface of the problem.
dotProject – and previously web2project – were not revalidating your permissions to perform an action when you actually attempted the action. It doesn't take much to see how this could be a problem.
All of that said, there is one large barrier to prevent this from being too damaging: To perform any actions, you must have an active User session. Therefore, you are protected from some random person passing by, but hugely at risk from your own users.
The only fix for this… upgrade to dotProject 2.1.2 immediately. The first official release of web2project will have this included and if you've downloaded the code since 20 May 2008, you're already covered.