lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: r_i_c_h at btopenworld.com (Richard Maudsley)
Subject: FirstClass 7.1: Bypass File Execution Warning

Product: FirstClass Desktop Client 7.1
Developer: OpenText (+SoftArc/+Centrinity)
URL: http://www.opentext.com

Description: Files with specially crafted names will execute without
displaying a warning prompt, and bypassing administrator file extension
download permissions.

Details:
Files on the FirstClass server are managed by their ID, the actual name is
only used by the user to identify individual files. This means that two
files can have the same filename, no filename at all, or include invalid
filename characters that cannot be used on Windows (<>\/?*"). If any
incorrect characters have been used in a filename, and that file is
downloaded/executed from the server the incorrect characters will be
stripped from the local filename. If no filename is provided at all, an
integer is used to identify the file locally. If the local file already
exists, the new file will include an integer before the period (and file
extension). When a triangular bracket (<) character is placed at the end of
the file extension (e.g test.exe<) the file is no longer an exe according
to the server, and upon double-click no warning/execution prompt is given
to the user, the file is downloaded (integer value includes before the file
extension if it already exists), triangular bracket stripped and the file
is executed/loaded using its associated software.

This problem (should) be easily resolved by stripping the invalid chars,
and then  checking the file extension against the administrators settings.

Enjoy,
        Richard Maudsley

http://www.mindblock.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ