From advisory@stgsecurity.com Wed Sep 3 01:44:57 2003 From: SSR Team To: SecurityTracker , SecuriTeam , Secunia , Packet Storm Security , Full Disclosure , BugTraq Date: Tue, 2 Sep 2003 17:21:28 +0900 Subject: [Full-Disclosure] STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer [ The following text is in the "euc-kr" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20030902-04] Accessibility control bypass vulnerability of Wrapsody Viewer Revision 1.0 Date Published: 2003-09-02 (KST) Last Update: 2003-09-02 Disclosed by SSR Team (advisory@stgsecurity.com) Abstract ======== Wrapsody is a Fasoo.com's solution designed to enable confidential information to be securely shared among friends, colleagues and business partners. It encrypts files and allows senders to set up rules including whether recipients have right to view, print, copy, paste and/or save so that the sent message does not open to those who was not intended by the sender. Vulnerability Class =================== Implementation Error: Inappropriate Implementation Details ======= A malicious user can bypass the copy & paste restriction of Wrapsody viewer through a specific work flow instead of naive one intended by Wrapsody developers. Impact ====== Pubic exposure of confidential information stored in encrypted files Solution ========= Fasoo.com fixed this problem and released patched viewers available at following addresses: http://www.wrapsody.co.kr/viewer.asp (Korean Version) http://eng.wrapsody.co.kr/viewer.asp (English Version) Administrators should upgrade vulnerable viewers to prevent the divulgement of confidential information. Affected Products ================ Wrapsody Viewer 3.0 and below Vendor Status: FIXED ==================== 2003-07-28 Fasoo.com notified. 2003-07-29 Second attempt at vendor contact. 2003-08-29 Third attempt at vendor contact and they replied fixed versions were released. 2003-09-02 Public disclosure Credits ====== Yongchan Kim at STG Security About STG Security ================= STG Security Inc. is a affiliated company of STG Group which has its head office in the States founded in march 2000. Its core business area is professional penetration testing, security code review and BS7799 consulting services. http://www.stgsecurity.com/ Phone +82-2-6333-4500 FAX +82-2-6333-4545 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP1RSxj9dVHd/hpsuEQKDFwCgnSeEhTN6WYC+lhINfdIbJh96TYgAoMpn D1jHx8dQxiu6va7xmseor7RR =HuUV -----END PGP SIGNATURE----- [ Part 2, Text/PLAIN (Name: "Fasoo-Eng.txt") 76 lines. ] [ Unable to print this part. ]