[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42E97599.3020608@spidynamics.com>
Date: Fri Jul 29 01:16:49 2005
From: epeterson at spidynamics.com (Erik Peterson)
Subject: SPIDynamics WebInspect Cross-ApplicationScripting
(XAS)
SPI Dynamics Security Bulletin SPI-0001-07282005
Issue:
Potential WebInspect Cross Application Scripting (XAS) Vulnerability
Severity:
Low
Potential Impact:
Remote Code Execution
Recommendation:
All customers should run SmartUpdate to ensure they are running the
latest version of WebInspect (5.5.386 or later).
Affected Software:
WebInspect 5.0.196
Non-Affected Software:
WebInspect 5.5
QAInspect (all versions)
DevInspect (all versions)
SecureObjects (all versions)
AMP (all versions)
Description:
SPI Dynamics has investigated a public report of a Cross Application
Scripting (XAS) vulnerability in WebInspect. We have verified that
WebInspect 5.5 (released May 16th, 2005) is not vulnerable however
WebInspect version 5.0.196 was susceptible. We recommend all customers
upgrade to WebInspect 5.5 which can be performed automatically at any
time by running SmartUpdate.
Background:
Cross application scripting (XAS) is possible when an application
executes data in a security context different from the original content
(presumably one with less security restrictions). For example the data
may be obtained from an un-trusted source (a remote web server) that is
sent unfiltered into a trusted application such as when web content is
downloaded from a remote server, and then re-displayed on the local
host. Any application that downloads and then later displays and
executes web content (such as JavaScript) may be vulnerable to XAS.
Disclosure Timeline:
April 15, 2005 08:01 AM ? Initial disclosure to SPI Dynamics
April 15, 2005 09:28 AM ? Initial SPI Dynamics response
July 26, 2005 04:45 AM? Public posting of disclosure (not coordinated
with SPI Dynamics)
Acknowledegements:
SPI Dynamics wishes to thank Sergey V. Gordeychik for informing us of
this vulnerability
Disclaimer:
The information provided in this bulletin is provided "as is" without
warranty of any kind. SPI Dynamics, Inc. disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall SPI Dynamics,
Inc. or its suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if SPI Dynamics, Inc. or its suppliers have been
advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.
Revisions:
V1.0 (July 27, 2005): Internal Release
V1.1 (July 28, 2005): Bulletin published
Contact:
Security issues and questions related to security bulletins may be sent
to SPI Dynamics at security-alert@...dynamics.com
Powered by blists - more mailing lists