[NT] Accessibility Control Bypass Vulnerability of Wrapsody Viewer
From: SecuriTeam (support_at_securiteam.com)
Date: 09/02/03
- Previous message: SecuriTeam: "[NEWS] SAP Internet Transaction Server Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Sep 2003 16:12:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Accessibility Control Bypass Vulnerability of Wrapsody Viewer
------------------------------------------------------------------------
SUMMARY
<http://eng.wrapsody.co.kr/viewer.asp> Wrapsody is a "Fasoo.com's
solution designed to enable confidential information to be securely shared
among friends, colleagues and business partners. It encrypts files and
allows senders to set up rules including whether recipients have right to
view, print, copy, paste and/or save so that the sent message does not
open to those who was not intended by the sender".
A malicious user can bypass the copy and paste restriction of Wrapsody
viewer by not conforming to the intended behavior expected by Wrapsody
developers.
DETAILS
Vulnerable systems:
* Wrapsody Viewer 3.0 and prior
Impact:
Pubic exposure of confidential information stored in encrypted files.
Solution:
Fasoo.com fixed this problem and released patched viewers available at
following addresses:
<http://www.wrapsody.co.kr/viewer.asp>
http://www.wrapsody.co.kr/viewer.asp (Korean Version)
<http://eng.wrapsody.co.kr/viewer.asp>
http://eng.wrapsody.co.kr/viewer.asp (English Version)
Administrators should upgrade vulnerable viewers to prevent the
divulgement of confidential information.
Vendor Status:
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed versions
were released.
2003-09-02 Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisory@stgsecurity.com>
SSR Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] SAP Internet Transaction Server Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
