PHProjekt allows infiltration of foreign scripts
Version 5.1 of the open source groupware solution PHProjekt contains two security vulnerabilities which could be exploited by an attacker to execute their own PHP code on the system. Using the path_pre parameter in lib/specialdays.php or the lib_path parameter in lib/dbman_filter.inc.php, it is possible to set paths to local or external sources and thus to include arbitrary scripts. For an attack to work, register_globals and allow_url_fopen must be set to "on" in php.ini - which should not be the case on a normal server installation. Nonetheless, there are numerous PHP applications which require these parameters to be set in order to function correctly. It is therefore possible that that these parameters may have been changed previously during installation of other software.
According to the developers, the error was introduced in version 5.1, and versions 5.0, 5.0.1 and 5.0.2 are not affected. The developers are working flat out to develop a patch, which should be available by the end of the day. According to Johann Hartmann, they also intend to release a new version of PHProjekt at the same time. The source code is currently being scanned for similar errors, in order to remedy any that might be lurking.
- PHProjekt "path_pre"/"lib_path" File Inclusion Vulnerabilities, bug report from Secunia