CVE-2006-0755

MEDIUM

dotProject <= 2.0.1 - Remote File Inclusion via baseDir and dPconfig Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2006-0755. PoCs published by dun, r.verton.

AI-analyzed exploit summary This is a writeup describing a Remote File Inclusion (RFI) vulnerability in dotProject <= 2.1.6. The vulnerability exists in the `gantt.php` file due to improper handling of the `dPconfig[root_dir]` parameter, allowing remote file inclusion when `allow_url_include` and `register_globals` are enabled.

Description

Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (1) db_adodb.php, (2) db_connect.php, (3) session.php, (4) vw_usr_roles.php, (5) calendar.php, (6) date_format.php, and (7) tasks/gantt.php; and the dPconfig[root_dir] parameter in (8) projects/gantt.php, (9) gantt2.php, and (10) vw_files.php. NOTE: the vendor disputes this issue, stating that the product documentation clearly recommends that the system administrator disable register_globals, and that the check.php script warns against this setting. Also, the vendor says that the protection.php/siteurl vector is incorrect because protection.php does not exist in the product

Exploits (10)

exploitdb WRITEUP VERIFIED
by dun · textwebappsphp
https://www.exploit-db.com/exploits/22708

This is a writeup describing a Remote File Inclusion (RFI) vulnerability in dotProject <= 2.1.6. The vulnerability exists in the `gantt.php` file due to improper handling of the `dPconfig[root_dir]` parameter, allowing remote file inclusion when `allow_url_include` and `register_globals` are enabled.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: dotProject <= 2.1.6
No auth needed
Prerequisites: allow_url_include = On · register_globals = On
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27225

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'baseDir' parameter of 'gantt.php' allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Remote file hosting with malicious PHP code · PHP configuration allowing remote file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27224

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'baseDir' parameter allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Access to the vulnerable Dotproject instance · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27223

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'baseDir' parameter of calendar.php allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Access to the vulnerable Dotproject instance · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27221

The code describes a remote file inclusion vulnerability in Dotproject due to improper input sanitization. An attacker can exploit this to execute arbitrary PHP code by including a remote file via the 'dPconfig[root_dir]' parameter.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Network access to the target application · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27220

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'dPconfig[root_dir]' parameter allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Access to the vulnerable Dotproject instance · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27217

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'dPconfig[root_dir]' parameter allows arbitrary remote file inclusion. No actual exploit code is present, only a description and example URL.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Remote file hosting with malicious PHP code · PHP configuration allowing remote file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27222

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input allows an attacker to include arbitrary remote files containing malicious PHP code. The example URL demonstrates the vulnerable parameter 'baseDir' in the 'vw_usr_roles.php' module.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Access to the vulnerable Dotproject instance · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27219

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'baseDir' parameter of 'session.php' allows arbitrary remote file inclusion. This can lead to remote code execution in the context of the webserver process.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Access to the vulnerable 'session.php' endpoint · Ability to host a malicious PHP file on a remote server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by r.verton · textwebappsphp
https://www.exploit-db.com/exploits/27218

The provided text describes a remote file inclusion vulnerability in Dotproject, where unsanitized user input in the 'baseDir' parameter allows arbitrary remote file inclusion. No actual exploit code is present, only a description and example URL.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Dotproject (version not specified)
No auth needed
Prerequisites: Remote file hosting with malicious PHP code · PHP configuration allowing remote file inclusion
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23213
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23214
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23217
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16648
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/24738
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23216
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23212
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23215
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23218
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23219
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/424957/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23210
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18879
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23209
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/0604
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/23211
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/425285/100/0/threaded

Scores

CVSS v3 5.6
EPSS 0.0785
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (2)
dotproject/dotproject 2.0
dotproject/dotproject 2.0.1
Published Feb 18, 2006
Tracked Since Feb 18, 2026