dotProject contains a flaw that allows a remote attacker to include arbitrary files. The issue is due to numerous scripts that call the classdefs/date.php script without defining or restricting the $root_dir variable. This allows an attacker to set the variable to an arbitrary server/path/file name which may include malicious commands that would be executed on the vulnerable server.

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:
create a .htaccess file that contains 'Deny from all' in the /modules/ directory.

• ISS X-Force ID: 11192
• Related OSVDB ID: 3593
• Bugtraq ID: 6710
• Secunia Advisory ID: 7974
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-01/0344.html
• Vendor URL: http://www.dotproject.net/

Unknown or Incomplete

We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.