lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: advisory at stgsecurity.com (SSR Team)
Subject: STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20030902-04]
Accessibility control bypass vulnerability of Wrapsody Viewer

Revision 1.0
Date Published: 2003-09-02 (KST)
Last Update: 2003-09-02
Disclosed by SSR Team (advisory@...security.com)


Abstract
========
Wrapsody is a Fasoo.com's solution designed to enable confidential
information to be securely shared among friends, colleagues and business
partners. It encrypts files and allows senders to set up rules including
whether recipients have right to view, print, copy, paste and/or save so
that the sent message does not open to those who was not intended by the
sender.

Vulnerability Class
===================
Implementation Error: Inappropriate Implementation

Details
=======
A malicious user can bypass the copy & paste restriction of Wrapsody viewer
through a specific work flow instead of naive one intended by Wrapsody
developers.


Impact
======
Pubic exposure of confidential information stored in encrypted files

Solution
=========
Fasoo.com fixed this problem and released patched viewers available at
following addresses:

http://www.wrapsody.co.kr/viewer.asp (Korean Version)
http://eng.wrapsody.co.kr/viewer.asp (English Version)

Administrators should upgrade vulnerable viewers to prevent the divulgement
of confidential information.

Affected Products
================
Wrapsody Viewer 3.0 and below

Vendor Status: FIXED
====================
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed
           versions were released.
2003-09-02 Public disclosure

Credits
======
Yongchan Kim at STG Security

About STG Security
=================
STG Security Inc. is a affiliated company of STG Group which has its head
office in the States founded in march 2000. Its core business area is
professional penetration testing, security code review and BS7799 consulting
services.

http://www.stgsecurity.com/

Phone +82-2-6333-4500
FAX +82-2-6333-4545

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1RSxj9dVHd/hpsuEQKDFwCgnSeEhTN6WYC+lhINfdIbJh96TYgAoMpn
D1jHx8dQxiu6va7xmseor7RR
=HuUV
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Fasoo-Eng.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030902/5dc0eb66/Fasoo-Eng.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ