n.runs-SA-2006.001 Asbru HardCore Web Content Editor - Command Injection
n.runs GmbH
http://www.nruns.com
n.runs-SA-2006.001
security(at)nruns.com
15-Oct-2006
* * *
Vendor: Asbru Software, http://asbrusoft.com
Product: Asbru HardCore Web Content Editor
Vulnerability: Command Injection
Risk: HIGH
Vendor communication:
2006/10/05 initial notification of AsbruSoft
2006/10/08 fix was created over the weekend, released on Oct 8.
Overview:
The Asbru Software Web Content Editor allows for web-based advanced text
processing, replacing the typical TEXTAREA input fields with a rich user
interface, offering HTML editing capabilities, formatting and various other features.
It integrates with Asbru Software's Content Management System, works with
most modern browsers and comes in versions for ASP, ASP.NET, PHP,
ColdFusion and JSP.
Description:
The spell checking feature uses ASpell, which is invoked through the
respective language's process creation commands, such as proc_open() in PHP, Runtime's
exec() method in JSP, shell.Run() in ASP and the like. All these
invocations are prone to a command injection attack, since ASpell's dictionary argument is
specified from a HTTP request parameter and the input is not sanitized.
This leads to immediate shell command execution if an attacker carefully
crafts this parameter's value. The vulnerability is only present if the
spell checking capability is in use.
Solution:
AsbruSoft reacted very quickly. The vulnerability was reported on Oct 5 and
a fix was created over the weekend, released on Oct 8. The updated version
6.0.22 is available from http://editor.asbrusoft.com/page.php/id=727
Credit:
Bug found by Jan Muenther of n.runs GmbH.
References:
None
Unaltered electronic reproduction of this advisory is permitted.
For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition.
All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.
Copyright 2006 n.runs GmbH. All rights reserved. Terms of use apply. |
