[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer
- To: "SecurityTracker" <bugs@xxxxxxxxxxxxxxxxxxx>, "SecuriTeam" <news@xxxxxxxxxxxxxx>, "Secunia" <vuln@xxxxxxxxxxx>, "Packet Storm Security" <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxx>, "BugTraq" <bugtrack@xxxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer
- From: "SSR Team" <advisory@xxxxxxxxxxxxxxx>
- Date: Tue, 2 Sep 2003 17:21:28 +0900
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20030902-04]
Accessibility control bypass vulnerability of Wrapsody Viewer
Revision 1.0
Date Published: 2003-09-02 (KST)
Last Update: 2003-09-02
Disclosed by SSR Team (advisory@xxxxxxxxxxxxxxx)
Abstract
========
Wrapsody is a Fasoo.com's solution designed to enable confidential
information to be securely shared among friends, colleagues and business
partners. It encrypts files and allows senders to set up rules including
whether recipients have right to view, print, copy, paste and/or save so
that the sent message does not open to those who was not intended by the
sender.
Vulnerability Class
===================
Implementation Error: Inappropriate Implementation
Details
=======
A malicious user can bypass the copy & paste restriction of Wrapsody viewer
through a specific work flow instead of naive one intended by Wrapsody
developers.
Impact
======
Pubic exposure of confidential information stored in encrypted files
Solution
=========
Fasoo.com fixed this problem and released patched viewers available at
following addresses:
http://www.wrapsody.co.kr/viewer.asp (Korean Version)
http://eng.wrapsody.co.kr/viewer.asp (English Version)
Administrators should upgrade vulnerable viewers to prevent the divulgement
of confidential information.
Affected Products
================
Wrapsody Viewer 3.0 and below
Vendor Status: FIXED
====================
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed
versions were released.
2003-09-02 Public disclosure
Credits
======
Yongchan Kim at STG Security
About STG Security
=================
STG Security Inc. is a affiliated company of STG Group which has its head
office in the States founded in march 2000. Its core business area is
professional penetration testing, security code review and BS7799 consulting
services.
http://www.stgsecurity.com/
Phone +82-2-6333-4500
FAX +82-2-6333-4545
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP1RSxj9dVHd/hpsuEQKDFwCgnSeEhTN6WYC+lhINfdIbJh96TYgAoMpn
D1jHx8dQxiu6va7xmseor7RR
=HuUV
-----END PGP SIGNATURE-----
STG Security Advisory: [SSA-20030902-04]
Accessibility control bypass vulnerability of Wrapsody Viewer
Revision 1.0
Date Published: 2003-09-02 (KST)
Last Update: 2003-09-02
Disclosed by SSR Team (advisory@xxxxxxxxxxxxxxx)
Abstract
========
Wrapsody is a Fasoo.com's solution designed to enable confidential
information to be securely shared among friends, colleagues and business
partners. It encrypts files and allows senders to set up rules including
whether recipients have right to view, print, copy, paste and/or save so
that the sent message does not open to those who was not intended by the
sender.
Vulnerability Class
===================
Implementation Error: Inappropriate Implementation
Details
=======
A malicious user can bypass the copy & paste restriction of Wrapsody viewer
through a specific work flow instead of naive one intended by Wrapsody
developers.
Impact
======
Pubic exposure of confidential information stored in encrypted files
Solution
=========
Fasoo.com fixed this problem and released patched viewers available at
following addresses:
http://www.wrapsody.co.kr/viewer.asp (Korean Version)
http://eng.wrapsody.co.kr/viewer.asp (English Version)
Administrators should upgrade vulnerable viewers to prevent the divulgement
of confidential information.
Affected Products
================
Wrapsody Viewer 3.0 and below
Vendor Status: FIXED
====================
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed
versions were released.
2003-09-02 Public disclosure
Credits
======
Yongchan Kim at STG Security
About STG Security
=================
STG Security Inc. is a affiliated company of STG Group which has its head
office in the States founded in march 2000. Its core business area is
professional penetration testing, security code review and BS7799 consulting
services.
http://www.stgsecurity.com/
Phone +82-2-6333-4500
FAX +82-2-6333-4545