lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 16 Oct 2006 11:05:56 +0200
From: <security@...ns.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Asbru HardCore Web Content Editor - Command
	Injection

________________________________________________________________________

n.runs GmbH					   
http://www.nruns.com/			              security@...ns.com
n.runs-SA-2006.001                                           15-Oct-2006
________________________________________________________________________

Vendor:	           Asbru Software, http://asbrusoft.com
Product:               Asbru HardCore Web Content Editor,
http://editor.asbrusoft.com/
Vulnerability:         Command Injection 

________________________________________________________________________

Vendor communication:

  2006/10/05		initial notification of AsbruSoft
  2006/10/08            fix was created over the weekend, released
                                                    on Oct 8. 
________________________________________________________________________

Overview:
 
The Asbru Software Web Content Editor allows for web-based advanced text
processing, replacing the typical TEXTAREA input fields with a rich user
interface, offering HTML editing capabilities, formatting and various other
features. 
It integrates with Asbru Software's Content Management System, works with
most modern browsers and comes in versions for ASP, ASP.NET, PHP, ColdFusion
and JSP. 

Description:
 The spell checking feature uses ASpell, which is invoked through the
respective language's process creation commands, such as proc_open() in PHP,
Runtime's
exec() method in JSP, shell.Run() in ASP and the like.  All these
invocations are prone to a command injection attack, since ASpell's
dictionary argument is specified from a HTTP request parameter and the input
is not sanitized. 
This leads to immediate shell command execution if an attacker carefully
crafts this parameter's value.  The vulnerability is *only* present if the
spell checking capability is in use.

Solution: 
AsbruSoft reacted very quickly. The vulnerability was reported on Oct 5 and
a fix was created over the weekend, released on Oct 8. The updated version
6.0.22  is available from 
http://editor.asbrusoft.com/page.php/id=727.   
________________________________________________________________________

Credit: 
  Bug found by Jan Muenther of n.runs GmbH. Thanks 
________________________________________________________________________

References: None
________________________________________________________________________

The information provided is released by n.runs "as is" without warranty of
any kind. n.runs disclaims all warranties, either express or implied, expect
for the warranties of merchantability. In no eventshall n.runs be liable for
any damages whatsever including direct, indirect, incidental, consequential,
loss of business profits or special damages, even if n.runs has been advised
of the possibility of such damages.
Distribution or Reproduction of the information is provided that the
advisory is not modified in any way.

Copyright 2006 n.runs. All rights reserved. Terms of use.
________________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ