netOffice Dwins demoSession Parameter Authentication Bypass

high Nessus Plugin ID 31342

Synopsis

The remote web server contains a PHP application that is affected by an authentication bypass vulnerability.

Description

The remote host is running netOffice Dwins, an open source project management application written in PHP.

The version of netOffice Dwins installed on the remote host allows an attacker to bypass authentication and access parts of the affected application to which access would not ordinarily be allowed. Such access could be gained by setting the 'demoSession' request parameter to '1'. One possible means of attack that this reportedly allows is the uploading of arbitrary PHP files to be executed on the remote host, subject to the privileges under which the web server operates.

Solution

Upgrade to netOffice Dwins 1.3.1 or later.

See Also

https://www.securityfocus.com/archive/1/488958/30/0/threaded

http://www.nessus.org/u?54091927

Plugin Details

Severity: High

ID: 31342

File Name: netofficedwins_demosession.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 3/4/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:netoffice:dwins

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Reference Information

CVE: CVE-2008-2044

BID: 28051

CWE: 94

SECUNIA: 29193