COMMAND
	PHPProjekt multiple remote vulnerabilities
SYSTEMS AFFECTED
	All versions below 3.2
PROBLEM
	Ulf Harnhammar [[email protected]] found the  following  vulnerabilities
	:
	1) Some of the scripts in the system require that  the  user  is  logged
	in, while others  don't.  The  system  differentiates  between  them  by
	checking the current  URL  in  the  variable  $PHP_SELF  to  see  if  it
	contains strings like "sms" (the name of one of the scripts  that  don't
	require logging  in  contains  that  string).  Unfortunately,  $PHP_SELF
	includes the PATH_INFO part of a request. This means that  we  can  fool
	the system into thinking that we are accessing  a  script  that  doesn't
	need logging in, while in fact we are  accessing  a  script  that  does.
	This is done by constructing a URL like
	
	http://www.somehost.com/phprojekt/mail/mail_send.php/sms
	
	where the PATH_INFO part is "/sms".
	2) The upload functions in the  system  don't  check  if  the  variables
	related to an upload actually were set by uploading a file  or  if  they
	are normal POST data. This can be used to  make  the  system  treat  any
	file it can read, like "/etc/passwd", as the uploaded data.
	3)  Many  SQL  statements  in  the  system  include  user  data  without
	enclosing it in apostrophes or quotes. This means that  much  more  data
	than intended can  be  deleted  or  changed.  If  the  system  uses  the
	parameter  "id"  in  the  string  "UPDATE  table  SET  name='Ulf'  WHERE
	intTableID=$id", giving "id" the value "intTableID" means that  we  will
	end up executing  the  statement  "UPDATE  table  SET  name='Ulf'  WHERE
	intTableID=intTableID". This statement will  change  all  names  in  the
	table to Ulf.
	4) Some of the scripts that should require logging  in  never  check  if
	you are in fact logged in. This means that a  person  with  insufficient
	privileges can view or edit data in the system,  by  posting  the  right
	data to those scripts.
	5) Files are accessed without proper checking of their  file  names  for
	slashes and dots. This means that we  can  read  files  outside  of  the
	PHProjekt     system     by      entering      file      names      like
	"../../../../../etc/passwd".
SOLUTION
	Get version 3.2 from http://www.phprojekt.com/