[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ALBATROSS9h8KxJ9lqA000003c2@albatross.smb2go.net>
Date: Wed, 7 Sep 2005 12:43:19 +1200
From: "Brett Moore" <brett.moore@...urity-assessment.com>
To: <bugtraq@...urityfocus.com>
Subject: WebArchiveX - Unsafe Methods Vulnerability
========================================================================
= WebArchiveX - Unsafe Methods Vulnerability
=
= Vendor Website:
= http://http://www.csystems.co.il/webarchivex/index.aspx
=
= Affected Version:
= WebArchiveX.dll 5.5.0.76 Installed Prior To Sep 6th, 2005
=
= Public disclosure on September 07, 2005
========================================================================
== Overview ==
The WebArchiveX component gives developers the ability to include .MHT
archive creation in their software and is compatible with a wide range
of programming languages.
Prior to September 6th 2005, the activeX component would install and
mark itself 'safe for scripting'. The component offers various methods
that when instantiated by a malicious web site, can be used to read files
from, or write files to the local computer.
== Exploitation ==
The component has an extensive API that can be viewed online;
http://www.csystems.co.il/WebArchiveX/help/api.html
This advisory concentrates on the two following methods;
* MakeArchive - Build MHT web archive (single MHT file)
Boolean MakeArchive(
String htmlFile,
String userAgent,
String mhtFile
);
The MakeArchive method will accept a local path as the mhtFile
parameter, allowing a malicious web site to write a file to the local
drive. By writing to the startup folder, it is possible to create a
.mht that will be executed locally at startup.
* MakeArchiveStr - Build MHT web archive and returns it as a string
String MakeArchiveStr(
String htmlFile,
String userAgent
);
The MakeArchiveStr method will accept a local path as the htmlFile
parameter. After reading in the file, the contents will be returned
to the calling script. This allows a malicious website to read the
contents of any file accessible by the current user.
== Solutions ==
- The vendor has changed the default installation to remove the 'safe for
scripting' entry, but unfortunately has not changed the version number.
The download now includes a readme file that contains;
Why WebArchiveX is not safe for scripting?
------------------------------------------
If WebArchiveX was safe for scripting, then malicious websites
could use WebArchiveX in order to read/write files from/to your
local file system. Please contact support@...stems.co.il for
further details!
In order to make WebArchiveX safe for scripting you can import
the enclosed Registry file WebArchiveX_SafeForScripting.reg.
- To identify if this component is installed on your pc, search the
registry for WebArchiveX entries.
- If the entry is located, remove the 'safe for scripting' entry by
removing these keys;
\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
- For additional help contact support@...stems.co.il
== Credit ==
Discovered and advised to cSystems August, 2005 by Brett Moore of
Security-Assessment.com
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Powered by blists - more mailing lists