Vulnerability Note VU#378604
WeOnlyDo! SFTP ActiveX control fails to properly restrict access to methods
The WeOnlyDo! SFTP ActiveX control is incorrectly marked safe for scripting. This may allow a remote unauthenticated attacker to upload arbitrary files from a vulnerable system to an SFTP server or download arbitrary files from an SFTP server to a vulnerable system.
ActiveX is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls.
If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad.
The WeOnlyDo! SFTP (wodSFTP) ActiveX control is an ActiveX component that provides Secure File Transfer Protocol (SFTP) functionality to the application that uses it.
The wodSFTP ActiveX control can download arbitrary files to the local file system, but it is marked as "safe for scripting" via the IObjectSafety interface. It can also upload arbitrary files from the local file system. These methods require no user interaction to complete.
By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder where it will automatically execute the next time the user logs onto the system. An attacker can also retrieve arbitrary files from a victim's computer.
We are currently unaware of a practical solution to this problem.
Disable Active scripting and ActiveX
Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, the wodSFTP ActiveX control will not be instantiated. With Active scripting disabled, the wodSFTP ActiveX control cannot be scripted by a web site. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|WeOnlyDo! Software||Affected||25 May 2006||31 May 2006|
CVSS Metrics (Learn More)
Thanks to Will Dormann of CERT/CC for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CVE-2006-1175
- Date Public: 30 May 2006
- Date First Published: 30 May 2006
- Date Last Updated: 31 May 2006
- Severity Metric: 5.05
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.