View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Support us on Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - [SOLVED] Potential vulnerability - ProjeQtOr
 
 

[SOLVED] Potential vulnerability

More
25 Apr 2023 14:22 #1 by Tears
Potential vulnerability was created by Tears
Hello,

We came across the following link pretending a RCE exists in ProjeQtOr :
https://packetstormsecurity[.]com/files/171950/ppms1032-shell.txt

Can you guys check if this claim is legit ?

Sorry if this is not the right place to ask
File Attachment:

Please Log in or Create an account to join the conversation.

More
25 Apr 2023 14:40 #2 by babynus
Replied by babynus on topic Potential vulnerability
Hi,

This may be a vulnerability only if :
 - your web server (apache) is configured to execute .phar files as script code (like .php)
 - you did not follow hints to store attachements out out web reach

NB : we will never forbid to upload scripting files, such as .phar, .sh or else as this may be patch of a bug description.
Projeqtor is coded so that uploaded file cannot be executed from a web page.
Babynus
Administrator of ProjeQtOr web site
The following user(s) said Thank You: Tears

Please Log in or Create an account to join the conversation.

More
25 Apr 2023 14:50 - 25 Apr 2023 14:51 #3 by babynus
Replied by babynus on topic Potential vulnerability
Anyway, we'll have a fix on next patch
Babynus
Administrator of ProjeQtOr web site
Last edit: 25 Apr 2023 14:51 by babynus.

Please Log in or Create an account to join the conversation.

More
25 Apr 2023 15:02 #4 by Tears
Replied by Tears on topic Potential vulnerability
We saw a similar claim for DotClear (by the same author) and they chose to forbid phar files : https://github[.]com/dotclear/dotclear/commit/868e74d80b185290964dcedf227f57b1ad42696d

But yeah, ProjeQtOr is a totally different product.

Anyway, thank you very much for the quick answer

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.039 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Please login to see yours activities!

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form