lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [month] [year] [list] 
From: advisory at stgsecurity.com (SSR Team)
Subject: STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20030902-04]
Accessibility control bypass vulnerability of Wrapsody Viewer

Revision 1.0
Date Published: 2003-09-02 (KST)
Last Update: 2003-09-02
Disclosed by SSR Team (advisory@...security.com)


Abstract
========
Wrapsody is a Fasoo.com's solution designed to enable confidential
information to be securely shared among friends, colleagues and business
partners. It encrypts files and allows senders to set up rules including
whether recipients have right to view, print, copy, paste and/or save so
that the sent message does not open to those who was not intended by the
sender.

Vulnerability Class
===================
Implementation Error: Inappropriate Implementation

Details
=======
A malicious user can bypass the copy & paste restriction of Wrapsody viewer
through a specific work flow instead of naive one intended by Wrapsody
developers.


Impact
======
Pubic exposure of confidential information stored in encrypted files

Solution
=========
Fasoo.com fixed this problem and released patched viewers available at
following addresses:

http://www.wrapsody.co.kr/viewer.asp (Korean Version)
http://eng.wrapsody.co.kr/viewer.asp (English Version)

Administrators should upgrade vulnerable viewers to prevent the divulgement
of confidential information.

Affected Products
================
Wrapsody Viewer 3.0 and below

Vendor Status: FIXED
====================
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed
           versions were released.
2003-09-02 Public disclosure

Credits
======
Yongchan Kim at STG Security

About STG Security
=================
STG Security Inc. is a affiliated company of STG Group which has its head
office in the States founded in march 2000. Its core business area is
professional penetration testing, security code review and BS7799 consulting
services.

http://www.stgsecurity.com/

Phone +82-2-6333-4500
FAX +82-2-6333-4545

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1RSxj9dVHd/hpsuEQKDFwCgnSeEhTN6WYC+lhINfdIbJh96TYgAoMpn
D1jHx8dQxiu6va7xmseor7RR
=HuUV
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Fasoo-Eng.txt
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030902/5dc0eb66/Fasoo-Eng.txt

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux