JEdit ActiveX Control Information Disclosure vulnerability

2006-06-27 / 2006-06-28
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

JEdit ActiveX Control Information Disclosure vulnerability Publish Date: July 17, 2006 Status: SRLabs.net contacted with the vendor at July 7 2006 to request security contact for sending information about vulnerability but couldn't get any response yet Vendor: Jaguarsoft (http://www.jaguarsoft.com) JEdit is a ActiveX Control for IE for anti keylogger purposes. Many banks in Turkey distribute different builds of JEdit to users for protection. SRLabs.net discover an information disclosure vulnerabiltiy in JEdit. An attacker can get those sensitive information on the wild - User's Machine Name - Logged in windows user's name - User's MAC Address - User's IP adrress, which is binded user machine's ethernet - User's Gateway IP adrress, which is binded user machine's ethernet - User's HDD serial number Build's affected from this vulnerability: - Garanti Bankasi / Guvenlik Kalkani - Anadolu Finans Kurumu / Anadolu Hisari - Is Bankasi / Guvenlik Cemberi - Turkishbank / E-Guard Proof-of concept code can be viewed from http://www.srlabs.net/bulten/source/Jaguar.htm


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top