Advisory 06/2006: PHProjekt (Remote) Include Vulnerabilities

Hash: SHA1

Hardened-PHP Project

-= Security Advisory =-

Advisory: PHProjekt (Remote) Include Vulnerabilities
Release Date: 2006/09/29
Last Modified: 2006/09/29
Author: Stefan Esser []

Application: PHProjekt 5.1.1
Severity: An unverified path may allow an attacker to inject
and execute arbitrary PHP code
Risk: Critical
Vendor Status: Vendor has a released an updated version


Quote from
"PHProjekt is a modular application for the coordination of group
activities and to share informations and document via intranet and
internet. Components of PHProjekt: Group calendar, project
management, time card system, file management, contact manager,
mail client and 9 other modules ...(feature list).
PHProjekt supports many protocols like ldap, soap and webdav and is
available for 36 languages and 7 databases."

While searching for applications that are vulnerable to a new class
of vulnerabilities inside PHP applications we took a quick look
into the current PHProjekt source code and discovered that a (remote)
include vulnerability had been (re)introduced.

By overwriting a variable with user input it is possible to inject
and execute arbitrary PHP code. Overwriting this variable is possible
regardless of the register_globals setting.

It is recommended to install our Suhosin (
PHP extension, because it is the only solution that stops 100% of
all URL includes. Please note that allow_url_fopen is NOT a 100%
protection because it does NOT stop all URL types.


PHProjekt includes several files from different paths. In earlier
versions it was possible to overwrite the base path variable
$path_pre from the outside and use it to include arbitrary files
or URLs. This vulnerability had been fixed by checking the content
of $path_pre and bailing out of the PHP script in case of an

Unfortunately the code within PHProjekt was moved around, which
resulted in $lib_path and $lang_path beeing filles before the
request variables are extracted into the global namespace by the
PHP script. (This globalisation is done by the code of PHProjekt
and has nothing todo with PHP's register_globals feature).

Because of this construction it is possible to include arbitrary
PHP files by filling $lib_path or $lang_path through f.e. the URL.

This vulnerability was now fixed by modifying all include paths
to use constants instead of variables, because constants cannot
be overwritten once they are set.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.

Disclosure Timeline:

21. September 2006 - Contacted PHProjekt developers by email
28. September 2006 - Updated PHProjekt was released
29. September 2006 - Public Disclosure


It is strongly recommended to upgrade to the newest version of
PHProejekt 5.1.2 which you can download at:

As usual we very stronlgy recommend to install our Suhosin PHP
extension, because it is the only solution that stops all
PHP remote URL includes. The often advertised allow_url_fopen
configuration directive does NOT protect against 'php://input'
or 'data:' URL types. Suhosin additionally can stop several
directory traversal attacks that try to include local files.

Grab your copy and more information at:


pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.4.3 (GNU/Linux)

© Hardened PHP Project