From: DUware Support [] 
Sent: Saturday, December 20, 2021 8:31 PM
To: 'GulfTech Security'
Subject: RE: Multiple High Risk Security Issues In DUWare Products
You need to remove the following file off your server since it is part of our copyrighted product.
DUware Team

I am sure anyone reading this is aware that a HTML form is not copyrighted. But the part that is disturbing is that not only are these guys products so insecure they allow you to take over the product itself, but the file upload vulns will let you take over the entire server. It allows anyone to upload malicious ASP script or worse and own the entire machine in most cases. Did they address these issues though? Lets have a look shall we.

From: DUware Support [] 
Sent: Monday, December 15, 2021 11:21 AM
To: GulfTech Security
Subject: Re: RE: Multiple High Risk Security Issues In DUWare Products
We received and reviewed the files you sent. Thank you very much.
We are not releasing any patches at this time but will include them as fixes 
and updates in the next version of our portal applications.
Best Regards,
Scott Lee			 
DUware Support Team

Yeah, I guess issues like this can wait to be fixed. lol. The sad part is though that some people PAY MONEY for these poorly written web applications. As a matter of fact their Pro version of their laughably insecure portal runs users 130.00 USD!! Now surely you are thinking they would at least inform their customers, as paying customers are whats most valuable to a company. Nope, not at all. Go look at their website, no announcement or anything. BUT THEY WILL SELL YOU A COPY FOR 130.00$ :) Also, something I read in the licence agreement was particularly funny/disturbing:

The Software is provided on an "AS IS" basis, without warranty of any kind, including without 
limitation the warranties of merchantability, fitness for a particular purpose and non-infringement. 
The entire risk as to the quality and performance of the Software is borne by you. Should the Software 
prove defective, you and not DUWARE.COM assume the entire cost of any service and repair. 
In addition, the security mechanisms implemented by DUWARE.COM Software have inherent limitations, and you must 
determine that the Software sufficiently meets your requirements. This disclaimer of warranty constitutes 
an essential part of the agreement.

So to any customers out there: If you get owned it is YOUR FAULT for not reading the disclaimer, and not their fault for making a very low quality product. Now aren't you glad you paid money? And to the rest of the users ... At least your getting your insecure software for free. lol In closing I would like to say that I emailed these guys with the explicit details of the vulnerabilities and the high risk of having them exploited in order to help their customers, and to help them have a more secure product. I did not release these vulnerabilities to the public until they replied saying they would not be patched. Seems though keeping their users in the dark and the fact that they own copyright to HTML forms is whats really important. Below are examples of the vulnerabilities in their portal product.

1) The forms below are not the forms from their portal product. They are not the same. If you a copy of Portal 3.* and would like to test if your server/version is vulnerable then it is possible to save the form offline and alter the values of the "hidden" form fields. However we do not reccomend this, as it may violate the portal license agreement.

2) We accept no responsibility for the information provided here. The forms below point to localhost which would be the machine you are currently using. You may not save the HTML source of this page offline and alter the POST url from localhost to the address of someone using the portal product or the demo of the portal product on the authors site.

3) If you paid for a copy of their products then I would definitely suggest emailing them and asking what the deal is. I would say contact the Better Business Bureau, but since in their licence agreement they clearly state that their security sucks and use at your own risk there isn't much you can do.

Account Hijack Exploit

File Upload Exploit

Privledge Escelation Exploit