STG Security Advisory: [SSA-20030902-04]
Accessibility control bypass vulnerability of Wrapsody Viewer

Revision 1.0
Date Published: 2003-09-02 (KST)
Last Update: 2003-09-02
Disclosed by SSR Team (advisory@stgsecurity.com)


Abstract
========
Wrapsody is a Fasoo.com's solution designed to enable confidential
information to be securely shared among friends, colleagues and business
partners. It encrypts files and allows senders to set up rules including
whether recipients have right to view, print, copy, paste and/or save so
that the sent message does not open to those who was not intended by the
sender.

Vulnerability Class
===================
Implementation Error: Inappropriate Implementation

Details
=======
A malicious user can bypass the copy & paste restriction of Wrapsody viewer
through a specific work flow instead of naive one intended by Wrapsody
developers.


Impact
======
Pubic exposure of confidential information stored in encrypted files

Solution
=========
Fasoo.com fixed this problem and released patched viewers available at
following addresses:

http://www.wrapsody.co.kr/viewer.asp (Korean Version)
http://eng.wrapsody.co.kr/viewer.asp (English Version)

Administrators should upgrade vulnerable viewers to prevent the divulgement
of confidential information.

Affected Products
================
Wrapsody Viewer 3.0 and below

Vendor Status: FIXED
====================
2003-07-28 Fasoo.com notified.
2003-07-29 Second attempt at vendor contact.
2003-08-29 Third attempt at vendor contact and they replied fixed
           versions were released.
2003-09-02 Public disclosure

Credits
======
Yongchan Kim at STG Security

About STG Security
=================
STG Security Inc. is a affiliated company of STG Group which has its head
office in the States founded in march 2000. Its core business area is
professional penetration testing, security code review and BS7799 consulting
services.

http://www.stgsecurity.com/

Phone +82-2-6333-4500
FAX +82-2-6333-4545