SPI Dynamics Security Bulletin SPI-0001-07282005 Issue: Potential WebInspect Cross Application Scripting (XAS) Vulnerability Severity: Low Potential Impact: Remote Code Execution Recommendation: All customers should run SmartUpdate to ensure they are running the latest version of WebInspect (5.5.386 or later). Affected Software: WebInspect 5.0.196 Non-Affected Software: WebInspect 5.5 QAInspect (all versions) DevInspect (all versions) SecureObjects (all versions) AMP (all versions) Description: SPI Dynamics has investigated a public report of a Cross Application Scripting (XAS) vulnerability in WebInspect. We have verified that WebInspect 5.5 (released May 16th, 2005) is not vulnerable however WebInspect version 5.0.196 was susceptible. We recommend all customers upgrade to WebInspect 5.5 which can be performed automatically at any time by running SmartUpdate. Background: Cross application scripting (XAS) is possible when an application executes data in a security context different from the original content (presumably one with less security restrictions). For example the data may be obtained from an un-trusted source (a remote web server) that is sent unfiltered into a trusted application such as when web content is downloaded from a remote server, and then re-displayed on the local host. Any application that downloads and then later displays and executes web content (such as JavaScript) may be vulnerable to XAS. Disclosure Timeline: April 15, 2005 08:01 AM – Initial disclosure to SPI Dynamics April 15, 2005 09:28 AM – Initial SPI Dynamics response July 26, 2005 04:45 AM– Public posting of disclosure (not coordinated with SPI Dynamics) Acknowledegements: SPI Dynamics wishes to thank Sergey V. Gordeychik for informing us of this vulnerability Disclaimer: The information provided in this bulletin is provided "as is" without warranty of any kind. SPI Dynamics, Inc. disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall SPI Dynamics, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if SPI Dynamics, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (July 27, 2005): Internal Release V1.1 (July 28, 2005): Bulletin published Contact: Security issues and questions related to security bulletins may be sent to SPI Dynamics at security-alert@spidynamics.com