Web Encryption Extension Authentication Bypass

2014.07.29
Credit: Senderek
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Revision: 1.0 Last Updated: 25 July 2014 First Published: 25 July 2014 Summary: A security issue was found in the Web Encryption Extension. Authenticated users are able to modify the content of https request fields to insert code into the pipeline mechanism of PHP. Severity: High Affected Software Versions: All versions of the Web Encryption Extension prior to version 3.0 Impact: Authenticated users of the Web Encryption Extension are able to inject code into user provided input, that will be executed with web server permissions. Fixes: The vulnerability has been fixed in WEE version 3.0, upgrades to this version must replace all active instances of WEE. The following downloads are available: https://senderek.ie/downlaods/latest/wee-3.0.tar https://senderek.ie/downloads/release/webmail/wee-roundcube.tar https://senderek.ie/downloads/release/cloud/wee-owncloud.tar https://senderek.ie/downloads/release/db/wee-phpmyadmin.tar https://senderek.ie/downloads/release/contact/securecontact.tar https://senderek.ie/downloads/release/webmail/wee-atmailopen.tar https://senderek.ie/downloads/release/webmail/wee-vtiger.tar Risk Mitigation: While using vulnerable versions of WEE, users are advised to disable non-authenticated access like guest and demo accounts to the software. (c) 2014 Senderek Web Security


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top