‘Asbru HardCore Web Content Editor Command Injection’
Summary
‘The Asbru Software Web Content Editor allows ‘for web-based advanced text processing, replacing the typical TEXTAREA input fields with a rich user interface, offering HTML editing capabilities, formatting and various other features. It integrates with Asbru Software’s Content Management System, works with most modern browsers and comes in versions for ASP, ASP.NET, PHP, ColdFusion and JSP’.
Credit:
‘The information has been provided by Jan Muenther of n.runs GmbH.
The original article can be found at: http://editor.asbrusoft.com/page.php/id=727‘
Details
‘The spell checking feature uses ASpell, which is invoked through the respective language’s process creation commands, such as proc_open() in PHP, Runtime’s exec() method in JSP, shell.Run() in ASP and the like. All these invocations are prone to a command injection attack, since ASpell’s dictionary argument is specified from a HTTP request parameter and the input is not sanitized.
This leads to immediate shell command execution if an attacker carefully crafts this parameter’s value. The vulnerability is *only* present if the spell checking capability is in use.
Solution:
AsbruSoft reacted very quickly. The vulnerability was reported on Oct 5 and a fix was created over the weekend, released on Oct 8. The updated version 6.0.22 is available from http://editor.asbrusoft.com/page.php/id=727.’