Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-disclosure] WebArchiveX - Unsafe Methods Vulnerability
From: Brett Moore (brett.mooresecurity-assessment.com)
Date: Tue Sep 06 2005 - 19:43:37 CDT
= WebArchiveX - Unsafe Methods Vulnerability
= Vendor Website:
= Affected Version:
= WebArchiveX.dll 18.104.22.168 Installed Prior To Sep 6th, 2005
= Public disclosure on September 07, 2005
== Overview ==
The WebArchiveX component gives developers the ability to include .MHT
archive creation in their software and is compatible with a wide range
of programming languages.
Prior to September 6th 2005, the activeX component would install and
mark itself 'safe for scripting'. The component offers various methods
that when instantiated by a malicious web site, can be used to read files
from, or write files to the local computer.
== Exploitation ==
The component has an extensive API that can be viewed online;
This advisory concentrates on the two following methods;
* MakeArchive - Build MHT web archive (single MHT file)
The MakeArchive method will accept a local path as the mhtFile
parameter, allowing a malicious web site to write a file to the local
drive. By writing to the startup folder, it is possible to create a
.mht that will be executed locally at startup.
* MakeArchiveStr - Build MHT web archive and returns it as a string
The MakeArchiveStr method will accept a local path as the htmlFile
parameter. After reading in the file, the contents will be returned
to the calling script. This allows a malicious website to read the
contents of any file accessible by the current user.
== Solutions ==
- The vendor has changed the default installation to remove the 'safe for
scripting' entry, but unfortunately has not changed the version number.
The download now includes a readme file that contains;
Why WebArchiveX is not safe for scripting?
If WebArchiveX was safe for scripting, then malicious websites
could use WebArchiveX in order to read/write files from/to your
local file system. Please contact supportcsystems.co.il for
In order to make WebArchiveX safe for scripting you can import
the enclosed Registry file WebArchiveX_SafeForScripting.reg.
- To identify if this component is installed on your pc, search the
registry for WebArchiveX entries.
- If the entry is located, remove the 'safe for scripting' entry by
removing these keys;
- For additional help contact supportcsystems.co.il
== Credit ==
Discovered and advised to cSystems August, 2005 by Brett Moore of
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/