[Full-Disclosure] FirstClass 7.1: Bypass File Execution Warning

["Richard Maudsley" <r_i_c_h@btopenworld.com>]

Product: FirstClass Desktop Client 7.1
Developer: OpenText (+SoftArc/+Centrinity)
URL: http://www.opentext.com

Description: Files with specially crafted names will execute without
displaying a warning prompt, and bypassing administrator file extension
download permissions.

Details:
Files on the FirstClass server are managed by their ID, the actual name is
only used by the user to identify individual files. This means that two
files can have the same filename, no filename at all, or include invalid
filename characters that cannot be used on Windows (<>\/?*"). If any
incorrect characters have been used in a filename, and that file is
downloaded/executed from the server the incorrect characters will be
stripped from the local filename. If no filename is provided at all, an
integer is used to identify the file locally. If the local file already
exists, the new file will include an integer before the period (and file
extension). When a triangular bracket (<) character is placed at the end of
the file extension (e.g test.exe<) the file is no longer an exe according
to the server, and upon double-click no warning/execution prompt is given
to the user, the file is downloaded (integer value includes before the file
extension if it already exists), triangular bracket stripped and the file
is executed/loaded using its associated software.

This problem (should) be easily resolved by stripping the invalid chars,
and then  checking the file extension against the administrators settings.

Enjoy,
        Richard Maudsley

http://www.mindblock.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html