SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WebArchiveX Vendors:   CSystems
WebArchiveX 'Safe for Scripting' Setting Lets Remote Users Read and Write Files
SecurityTracker Alert ID:  1014867
SecurityTracker URL:  http://securitytracker.com/id/1014867
CVE Reference:   CVE-2005-2891   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Sep 7 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebArchiveX.dll 5.5.0.76 installed prior to September 6, 2005
Description:   A vulnerability was reported in WebArchiveX. A remote user can read and write files on the target system.

The WebArchiveX component API allows a remote user to invoke various methods to read and write files on the target system with the privileges of the target user. The component is marked as 'Safe for Scripting'.

The MakeArchive() method allows the remote user to write a '.mht' file on the target system. This can be exploited to write a file to the startup folder so that the code in file will be executed the next time the system is started.

The MakeArchiveStr() method allows the remote user to view arbitrary files on the target system with the privileges of the target user.

The vendor was notified in August 2005.

Brett Moore of Security-Assessment.com discovered this vulnerability.

Impact:   A remote user can read and write files on the target system with the privileges of the target user.
Solution:   The vendor has removed the 'safe for scripting' setting in versions available on September 6, 2005 and later dates. The version number has not been incremented.
Vendor URL:  www.csystems.co.il/webarchivex/index.aspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WebArchiveX - Unsafe Methods Vulnerability

This is a multi-part message in MIME format...

------------=_1126053765-7735-40
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

========================================================================
= WebArchiveX - Unsafe Methods Vulnerability
=
= Vendor Website: 
= http://http://www.csystems.co.il/webarchivex/index.aspx
=
= Affected Version:
=    WebArchiveX.dll 5.5.0.76 Installed Prior To Sep 6th, 2005
=
= Public disclosure on September 07, 2005
========================================================================

== Overview ==

The WebArchiveX component gives developers the ability to include .MHT
archive creation in their software and is compatible with a wide range
of programming languages.

Prior to September 6th 2005, the activeX component would install and
mark itself 'safe for scripting'. The component offers various methods
that when instantiated by a malicious web site, can be used to read files 
from, or write files to the local computer.

== Exploitation ==

The component has an extensive API that can be viewed online;
   http://www.csystems.co.il/WebArchiveX/help/api.html


This advisory concentrates on the two following methods;

* MakeArchive    - Build MHT web archive (single MHT file)
  Boolean MakeArchive(
     String htmlFile,
     String userAgent,
     String mhtFile
   );

  The MakeArchive method will accept a local path as the mhtFile 
  parameter, allowing a malicious web site to write a file to the local
  drive. By writing to the startup folder, it is possible to create a 
  .mht that will be executed locally at startup.


* MakeArchiveStr - Build MHT web archive and returns it as a string
  String MakeArchiveStr(
     String htmlFile,
     String userAgent
   );

  The MakeArchiveStr method will accept a local path as the htmlFile
  parameter. After reading in the file, the contents will be returned
  to the calling script. This allows a malicious website to read the 
  contents of any file accessible by the current user.  

== Solutions ==

- The vendor has changed the default installation to remove the 'safe for
  scripting' entry, but unfortunately has not changed the version number.
  The download now includes a readme file that contains;

  Why WebArchiveX is not safe for scripting?
  ------------------------------------------

  If WebArchiveX was safe for scripting, then malicious websites
  could use WebArchiveX in order to read/write files from/to your
  local file system. Please contact support@csystems.co.il for
  further details!

  In order to make WebArchiveX safe for scripting you can import
  the enclosed Registry file WebArchiveX_SafeForScripting.reg.

- To identify if this component is installed on your pc, search the 
  registry for WebArchiveX entries.

- If the entry is located, remove the 'safe for scripting' entry by
  removing these keys;
    \Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    \Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

- For additional help contact support@csystems.co.il
 
== Credit ==

Discovered and advised to cSystems August, 2005 by Brett Moore of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.




e-mail protected and scanned by Bizo Email Filter - powered by Advascan



------------=_1126053765-7735-40--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC