| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAEqlc0sEqCZMjFiSy1tj+RPCgAAAEAAAAGci3rwX//xOlm+dIPf7W/oBAAAAAA==@nruns.com>
Date: Mon, 16 Oct 2006 10:57:35 +0200
From: <security@...ns.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Asbru HardCore Web Content Editor - Command
Injection
________________________________________________________________________
n.runs GmbH
http://www.nruns.com/ security@...ns.com
n.runs-SA-2006.001 15-Oct-2006
________________________________________________________________________
Vendor: Asbru Software, http://asbrusoft.com
Product: Asbru HardCore Web Content Editor,
http://editor.asbrusoft.com/
Vulnerability: Command Injection
________________________________________________________________________
Vendor communication:
2006/10/05 initial notification of AsbruSoft
2006/10/08 fix was created over the weekend, released
on Oct 8.
________________________________________________________________________
Overview:
The Asbru Software Web Content Editor allows for web-based advanced text
processing, replacing the typical TEXTAREA input fields with a rich user
interface,
offering HTML editing capabilities, formatting and various other features.
It integrates with Asbru Software's Content Management System, works with
most modern browsers and comes in versions for ASP, ASP.NET, PHP,
ColdFusion and JSP.
Description:
The spell checking feature uses ASpell, which is invoked through the
respective
language's process creation commands, such as proc_open() in PHP, Runtime's
exec() method in JSP, shell.Run() in ASP and the like. All these
invocations are
prone to a command injection attack, since ASpell's dictionary argument is
specified from a HTTP request parameter and the input is not sanitized.
This leads to immediate shell command execution if an attacker carefully
crafts this parameter's value. The vulnerability is *only* present if the
spell checking capability is in use.
Solution:
AsbruSoft reacted very quickly. The vulnerability was reported on Oct 5 and
a
fix was created over the weekend, released on Oct 8. The updated version
6.0.22 is available from
http://editor.asbrusoft.com/page.php/id=727.
________________________________________________________________________
Credit:
Bug found by Jan Muenther of n.runs GmbH. Thanks
________________________________________________________________________
References: None
________________________________________________________________________
The information provided is released by n.runs "as is" without warranty
of any kind. n.runs disclaims all warranties, either express or implied,
expect for the warranties of merchantability. In no eventshall n.runs be
liable for any damages whatsever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
n.runs has been advised of the possibility of such damages.
Distribution or Reproduction of the information is provided that the
advisory is not modified in any way.
Copyright 2006 n.runs. All rights reserved. Terms of use.
________________________________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists