Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0138
Wibu Systems CodeMeter 6.50 - Persistent XSS Vulnerability
5 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CodeMeter
Operating System: Solaris
Linux variants
OS X
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13754
Member content until: Thursday, October 5 2017
OVERVIEW
Vulnerability Lab have published information regarding Wibu Systems
Codemeter Update which will contain a XSS vulnerability affecting many
Wibu products [1].
IMPACT
Vulnerability Lab has provided the following description of the
impact for the vulnerability.
"A persistent input validation vulnerability has been discovered in
the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server
web-application. The vulnerability allows remote attackers to inject
own malicious script code with application-side vector to the
vulnerable function or module to followup with a compromising
attack." [1]
MITIGATION
Vulnerability Lab recommends the following remedial actions to be taken.
"1. Restrict the input field and disallow the usage of special chars like in the other input fields
2. Parse the input field and escape the content
3. Parse in the visible listing the output location of the item
4. Setup a secure exception-handling to handl illegal events
5. Include a proper validation mask to the form to prevent further injection attacks
The security vulnerability has been patched in the version 6.50b." [1]
REFERENCES
[1] Wibu Systems CodeMeter 6.50 - Persistent XSS Vulnerability
https://www.vulnerability-lab.com/get_content.php?id=2074
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWa3/+Yx+lLeg9Ub1AQiHZg/+J+BbU5Yma1K1bD+kXmO5qm39QKXl96x2
tDncEH5g1SlGSso3Kx6yMGiHEmQtMH35MaKjf/XISuWjHO17mSokFAExcH1nTl2+
0y5pYmishVRQR2Y3l4wkOR9vPCWWw0QmhUzRhz6URJJqeJ64nChLS9iLvmBdcHz8
qU9s7Wfh777l0DqOvn/vu8mZ72/PbNAganrEmY3aFI43HR5kHfbop2qirUKORN8C
EQcJxAGFAE+7d+i1WXQ/sftGeKtDZOMEGhj/KEZfEiHP+wkgqFtpss9OzyTuPWPK
0U4V4qXXGz8j1ZRT/XKDZWwVTaGF7gLJPczZlrS1sQy4Oa0MIFxoJmeEsN35aV0X
QAId9KObnuCLGR/RW1p1GZObuALR6VNSRWpbTcF0HxsqUK9lR58Cp0diPn41eAJs
CvgPm9AvN0eE/QZaqAUzGBD2gpgvZTRA3unGn/v56vvzJRR+0Q2x7shibW/4eAzO
ciUwEYm7XCjfGZz+qZ9p0jOcy/yuBOuPDOBS7BQjzTkikEgSHCm3i+S1fSqs1K/9
mOT87ZXnapooMgFIpJS33DhLTJQKodV/8NEAzw1lKx354ivfxMMFQ68MxaJ+2sZA
ZRgh2Ushwk++Fv/khq1IUXMkLBv9uZGdYM6JRt4jcN/GChFhMkp58+C2Swyrrx0K
VOXjVFAl3i0=
=xl6H
-----END PGP SIGNATURE-----