[UNIX] Asbru HardCore Web Content Editor Command Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Asbru HardCore Web Content Editor Command Injection
------------------------------------------------------------------------


SUMMARY

The <http://editor.asbrusoft.com/> Asbru Software Web Content Editor
allows "for web-based advanced text processing, replacing the typical
TEXTAREA input fields with a rich user interface, offering HTML editing
capabilities, formatting and various other features. It integrates with
Asbru Software's Content Management System, works with most modern
browsers and comes in versions for ASP, ASP.NET, PHP, ColdFusion and JSP".
A vulnerability in Asbru allows remote attackers to cause the product to
execute arbitrary code via the spell checking mechanism.

DETAILS

The spell checking feature uses ASpell, which is invoked through the
respective language's process creation commands, such as proc_open() in
PHP, Runtime's exec() method in JSP, shell.Run() in ASP and the like. All
these invocations are prone to a command injection attack, since ASpell's
dictionary argument is specified from a HTTP request parameter and the
input is not sanitized.

This leads to immediate shell command execution if an attacker carefully
crafts this parameter's value. The vulnerability is *only* present if the
spell checking capability is in use.

Solution:
AsbruSoft reacted very quickly. The vulnerability was reported on Oct 5
and a fix was created over the weekend, released on Oct 8. The updated
version 6.0.22 is available from
<http://editor.asbrusoft.com/page.php/id=727>
http://editor.asbrusoft.com/page.php/id=727.


ADDITIONAL INFORMATION

The information has been provided by <mailto:security@xxxxxxxxx> Jan
Muenther of n.runs GmbH.
The original article can be found at:
<http://editor.asbrusoft.com/page.php/id=727>
http://editor.asbrusoft.com/page.php/id=727



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.