lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ALBATROSS3YgE4HO0wu000003c3@albatross.smb2go.net>
Date: Wed Sep  7 02:10:47 2005
From: brett.moore at security-assessment.com (Brett Moore)
Subject: WebArchiveX - Unsafe Methods Vulnerability

========================================================================
= WebArchiveX - Unsafe Methods Vulnerability
=
= Vendor Website: 
= http://http://www.csystems.co.il/webarchivex/index.aspx
=
= Affected Version:
=    WebArchiveX.dll 5.5.0.76 Installed Prior To Sep 6th, 2005
=
= Public disclosure on September 07, 2005
========================================================================

== Overview ==

The WebArchiveX component gives developers the ability to include .MHT
archive creation in their software and is compatible with a wide range
of programming languages.

Prior to September 6th 2005, the activeX component would install and
mark itself 'safe for scripting'. The component offers various methods
that when instantiated by a malicious web site, can be used to read files 
from, or write files to the local computer.

== Exploitation ==

The component has an extensive API that can be viewed online;
   http://www.csystems.co.il/WebArchiveX/help/api.html


This advisory concentrates on the two following methods;

* MakeArchive    - Build MHT web archive (single MHT file)
  Boolean MakeArchive(
     String htmlFile,
     String userAgent,
     String mhtFile
   );

  The MakeArchive method will accept a local path as the mhtFile 
  parameter, allowing a malicious web site to write a file to the local
  drive. By writing to the startup folder, it is possible to create a 
  .mht that will be executed locally at startup.


* MakeArchiveStr - Build MHT web archive and returns it as a string
  String MakeArchiveStr(
     String htmlFile,
     String userAgent
   );

  The MakeArchiveStr method will accept a local path as the htmlFile
  parameter. After reading in the file, the contents will be returned
  to the calling script. This allows a malicious website to read the 
  contents of any file accessible by the current user.  

== Solutions ==

- The vendor has changed the default installation to remove the 'safe for
  scripting' entry, but unfortunately has not changed the version number.
  The download now includes a readme file that contains;

  Why WebArchiveX is not safe for scripting?
  ------------------------------------------

  If WebArchiveX was safe for scripting, then malicious websites
  could use WebArchiveX in order to read/write files from/to your
  local file system. Please contact support@...stems.co.il for
  further details!

  In order to make WebArchiveX safe for scripting you can import
  the enclosed Registry file WebArchiveX_SafeForScripting.reg.

- To identify if this component is installed on your pc, search the 
  registry for WebArchiveX entries.

- If the entry is located, remove the 'safe for scripting' entry by
  removing these keys;
    \Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    \Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

- For additional help contact support@...stems.co.il
 
== Credit ==

Discovered and advised to cSystems August, 2005 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.




e-mail protected and scanned by Bizo Email Filter - powered by Advascan


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ