View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Supportez nous sur Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - [SOLVED] Potential vulnerability - ProjeQtOr

Prochaines Sessions

Les prochaines formations et démonstrations sont ouvertes, inscrivez-vous rapidement !

 

Démonstration de ProjeQtOr

(gratuit, sur inscription)
 

13 mai 2025 (10h30-12h)

5 juin 2025 (16h-17h30)

  
 

Planifiez avec ProjeQtOr

14 et 15 mai 2025 (9h-12h30)

18 et 19 juin 2025 (9h-12h30)

  
 

Administrez avec ProjeQtOr

20 et 21 mai (9h-12h30)

25 et 26 juin (9h-12h30)

  

 

 

[SOLVED] Potential vulnerability

More
25 Avr 2023 14:22 #1 by Tears
Potential vulnerability was created by Tears
Hello,

We came across the following link pretending a RCE exists in ProjeQtOr :
https://packetstormsecurity[.]com/files/171950/ppms1032-shell.txt

Can you guys check if this claim is legit ?

Sorry if this is not the right place to ask
File Attachment:

Please Connexion or Create an account to join the conversation.

More
25 Avr 2023 14:40 #2 by babynus
Replied by babynus on topic Potential vulnerability
Hi,

This may be a vulnerability only if :
 - your web server (apache) is configured to execute .phar files as script code (like .php)
 - you did not follow hints to store attachements out out web reach

NB : we will never forbid to upload scripting files, such as .phar, .sh or else as this may be patch of a bug description.
Projeqtor is coded so that uploaded file cannot be executed from a web page.
Babynus
Administrator of ProjeQtOr web site
The following user(s) said Thank You: Tears

Please Connexion or Create an account to join the conversation.

More
25 Avr 2023 14:50 - 25 Avr 2023 14:51 #3 by babynus
Replied by babynus on topic Potential vulnerability
Anyway, we'll have a fix on next patch
Babynus
Administrator of ProjeQtOr web site
Last edit: 25 Avr 2023 14:51 by babynus.

Please Connexion or Create an account to join the conversation.

More
25 Avr 2023 15:02 #4 by Tears
Replied by Tears on topic Potential vulnerability
We saw a similar claim for DotClear (by the same author) and they chose to forbid phar files : https://github[.]com/dotclear/dotclear/commit/868e74d80b185290964dcedf227f57b1ad42696d

But yeah, ProjeQtOr is a totally different product.

Anyway, thank you very much for the quick answer

Please Connexion or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.054 seconds

Paramétrages de cookies

×

Cookies fonctionnels

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Veuillez vous connecter pour voir vos activités!

Autres cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form