Web Encryption Extension Authentication Bypass

Web Encryption Extension Authentication Bypass: Posted Jul 28, 2014; Authored by Ralf Senderek; Web Encryption Extension (WEE) suffers from an authentication bypass vulnerability.; tags | advisory, web, bypass; SHA-256 | d5595fa91a8fa0538252e28f43e88473d0efbfa67e816fb5451770506195f0b3; Download | Favorite | View

Web Encryption Extension Authentication Bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Revision:         1.0
Last Updated:     25 July 2014
First Published:  25 July 2014

Summary:
         A security issue was found in the Web Encryption Extension.

         Authenticated users are able to modify the content of https request
         fields to insert code into the pipeline mechanism of PHP.


Severity:         High


Affected Software Versions:

         All versions of the Web Encryption Extension prior to version 3.0


Impact:

         Authenticated users of the Web Encryption Extension are able to
         inject code into user provided input, that will be executed with
         web server permissions.

Fixes:

         The vulnerability has been fixed in WEE version 3.0, upgrades to
         this version must replace all active instances of WEE.

         The following downloads are available:

         https://senderek.ie/downlaods/latest/wee-3.0.tar
         https://senderek.ie/downloads/release/webmail/wee-roundcube.tar
         https://senderek.ie/downloads/release/cloud/wee-owncloud.tar
         https://senderek.ie/downloads/release/db/wee-phpmyadmin.tar
         https://senderek.ie/downloads/release/contact/securecontact.tar
         https://senderek.ie/downloads/release/webmail/wee-atmailopen.tar
         https://senderek.ie/downloads/release/webmail/wee-vtiger.tar



Risk Mitigation:

         While using vulnerable versions of WEE, users are advised to disable
         non-authenticated access like guest and demo accounts to the software.

(c) 2014 Senderek Web Security

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJT0qBIAAoJECyxzx4lRhdKttgQAJN4rhgyjCuh1TQuENpRaAtB
nHLNABaXvn6jvCmPX9Rqqk7JxS29mLfg5pbSZ6sxAEPudRDoecleVeKDgXfU+CLb
Uf6RCR9dj17OVy7CmZ05BKXX/Fv3VLk8H2OaIZz2P+vTp8ww4wWAWT3YnI6cuXg5
RLmyHTMk+sMN7eOXNq0uKkM+YArrryaAiVAb71s28z4VSAf5v0KtxBKIu8JlHV3w
hd7/SAIfxT8RTZVCLDh9uUpBpPNYgYEV0vd4OhzDVExT0w/aK1YT295+jZ8dmmnX
n+8wc7wkiQqQ8LGedEAdZdrgTAwLRfwTwh1mfRvmQ4pnYcwcjiBHT33S/L/WBa72
EMYBhkfcH6STLR0IVbklPZxHpbRlItbUvHG6ZCZ9+Pnh8baTtkuetXKb12zHW17l
nBpd+ecQZKZ8/XKf1uZGD+8C7EX0GEscV9V1yygz2OawMSx6Rmg7EmPZV1NprF05
prQ4uMSDIeF/2Ufy99fas7Wgl0qa0IZXQkOGM3MaDI+CXMR6P7fIo8WxZJ6NQk1S
/BHy8G4eKPed3pL3g1UhHZeuVA9NIuU3jGPvIJk2H0T2rtjmwUKLQLpAxkm+Zd4O
cziXn1ej8CdMKDDBKyMBSLjz44f3Ctj1eBWEN+sjE7Oky2EPRuYSs2ASh/Xsea5w
OauMHb9f1XN+hvUwOJmX
=wGyi
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Web Encryption Extension Authentication Bypass

Web Encryption Extension Authentication Bypass

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Web Encryption Extension Authentication Bypass

Share This

Web Encryption Extension Authentication Bypass

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems