lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 21 Jun 2006 08:25:30 -0000
From: bulten@...abs.net
To: bugtraq@...urityfocus.com
Subject: JEdit ActiveX Control Information Disclosure vulnerability


JEdit ActiveX Control Information Disclosure vulnerability

Publish Date: July 17, 2006
Status:    SRLabs.net contacted with the vendor at July 7 2006 to request security 
	contact for sending information about vulnerability but couldn't get any response yet

Vendor: Jaguarsoft (http://www.jaguarsoft.com)

JEdit is a ActiveX Control for IE for anti keylogger purposes. Many banks in Turkey distribute 
different builds of JEdit  to users for protection. 

SRLabs.net discover an information disclosure vulnerabiltiy in JEdit. An attacker can get those
sensitive information on the wild
	- User's Machine Name
	- Logged in windows user's name 
	- User's MAC Address
	- User's IP adrress, which is binded user machine's ethernet
	- User's Gateway IP adrress, which is binded user machine's ethernet
	- User's HDD serial number

Build's affected from this vulnerability:
	- Garanti Bankasi / Guvenlik Kalkani
	- Anadolu Finans Kurumu / Anadolu Hisari
	- Is Bankasi / Guvenlik Cemberi
	- Turkishbank / E-Guard

Proof-of concept code can be viewed from http://www.srlabs.net/bulten/source/Jaguar.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ