Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0138 Wibu Systems CodeMeter 6.50 - Persistent XSS Vulnerability 5 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CodeMeter Operating System: Solaris Linux variants OS X Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13754 Member content until: Thursday, October 5 2017 OVERVIEW Vulnerability Lab have published information regarding Wibu Systems Codemeter Update which will contain a XSS vulnerability affecting many Wibu products [1]. IMPACT Vulnerability Lab has provided the following description of the impact for the vulnerability. "A persistent input validation vulnerability has been discovered in the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server web-application. The vulnerability allows remote attackers to inject own malicious script code with application-side vector to the vulnerable function or module to followup with a compromising attack." [1] MITIGATION Vulnerability Lab recommends the following remedial actions to be taken. "1. Restrict the input field and disallow the usage of special chars like in the other input fields 2. Parse the input field and escape the content 3. Parse in the visible listing the output location of the item 4. Setup a secure exception-handling to handl illegal events 5. Include a proper validation mask to the form to prevent further injection attacks The security vulnerability has been patched in the version 6.50b." [1] REFERENCES [1] Wibu Systems CodeMeter 6.50 - Persistent XSS Vulnerability https://www.vulnerability-lab.com/get_content.php?id=2074 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWa3/+Yx+lLeg9Ub1AQiHZg/+J+BbU5Yma1K1bD+kXmO5qm39QKXl96x2 tDncEH5g1SlGSso3Kx6yMGiHEmQtMH35MaKjf/XISuWjHO17mSokFAExcH1nTl2+ 0y5pYmishVRQR2Y3l4wkOR9vPCWWw0QmhUzRhz6URJJqeJ64nChLS9iLvmBdcHz8 qU9s7Wfh777l0DqOvn/vu8mZ72/PbNAganrEmY3aFI43HR5kHfbop2qirUKORN8C EQcJxAGFAE+7d+i1WXQ/sftGeKtDZOMEGhj/KEZfEiHP+wkgqFtpss9OzyTuPWPK 0U4V4qXXGz8j1ZRT/XKDZWwVTaGF7gLJPczZlrS1sQy4Oa0MIFxoJmeEsN35aV0X QAId9KObnuCLGR/RW1p1GZObuALR6VNSRWpbTcF0HxsqUK9lR58Cp0diPn41eAJs CvgPm9AvN0eE/QZaqAUzGBD2gpgvZTRA3unGn/v56vvzJRR+0Q2x7shibW/4eAzO ciUwEYm7XCjfGZz+qZ9p0jOcy/yuBOuPDOBS7BQjzTkikEgSHCm3i+S1fSqs1K/9 mOT87ZXnapooMgFIpJS33DhLTJQKodV/8NEAzw1lKx354ivfxMMFQ68MxaJ+2sZA ZRgh2Ushwk++Fv/khq1IUXMkLBv9uZGdYM6JRt4jcN/GChFhMkp58+C2Swyrrx0K VOXjVFAl3i0= =xl6H -----END PGP SIGNATURE-----