WeOnlyDo! Software Information for VU#378604

WeOnlyDo! SFTP ActiveX control fails to properly restrict access to methods

Status

Affected

Vendor Statement

We are fully aware of this issue, but have no plans to update our software at this time. In our opinion this vulnerability note does not affect wodSFTP's security or strength - it only explains that wodSFTP can be used by malicious software.

Trying to remove 'safe for scripting' flag would affect wodSFTP's functionality and it wouldn't be usable in certain environments at all.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

We believe the wodSFTP control be be vulnerable because it does not follow Microsoft's "Designing Secure ActiveX Controls" guidelines. If you do not need to use the wodSFTP control in a web page, we recommend setting the kill bit for the control, as specified in VU#378604.

If you have feedback, comments, or additional information about this vulnerability, please send us email.