document viewer
Where: System access
======================================================================
3) Vendor's Description of Software
"Foxit Reader is a free PDF document viewer and printer, with
incredible small size (only 2.55 M download size), breezing-fast
launch speed and rich feature set. Foxit Reader supports Windows Me/
2000/XP/2003/Vista. Its core function is compatible with PDF Standard
1.7.".
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable MS Office Documents within the
Lotus Notes file viewer: <BR> <BR> Open the keyview.ini file in the
Lotus Notes program data directory (C:\Program
Files\IBM\Lotus\Notes\Data) and comment out all references to mw8sr.dll.
To comment out a reference, proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable LZH archive files within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to lzhsr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable Applix Documents within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to assr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
CVE Name: CVE-2009-0836, CVE-2009-0837
3. *Vulnerability Description*
Foxit Reader is a lightweight, free PDF document viewer and printer. PDF
files may include actions (i.e., 'Go to a page view', 'Open/Execute a
file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
action makes the software victim of two kinds of vulnerabilities:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will trust a length specified in the file in order to read a number of
bytes into a statically allocated buffer. This leads to a buffer
overflow and can lead to code execution under the context of the
application.
Reference: http://www.securityfocus.com/bid/25591
Overview:
RemoteDocs R-Viewer is a secure document viewer used by remotedocs.com.
There exists a design flaw in RemoteDocs R-Viewer where code can be executed
upon opening the RDZ file without any knowlege or warning to the user.
Additionally, temporary files are not properly removed of disk exposing the
encrypted data.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a Word document containing a malformed shape.
The application will calculate a length incorrectly when using it to
copy data into an allocated buffer. This can lead to code execution
under the context of the application.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed Word document. The application
will copy an arbitrarily sized ASCII string representing the font name
into a constant sized buffer located on the stack. If large enough this
will lead to a buffer overflow and can lead to code execution under the
context of the application.
Arbitrary File Upload and Execution in Prizm Content Connect default.aspx
Prizm Content Connect web document viewer converts a variety of
formats into Adobe Flash objects so that they can be viewed in a web
browser. If Prizm Content Connect is configured according to the
installation instructions, it will be vulnerable to arbitrary remote
code execution.
>'feature' is present in Windows XP, Vista and 7.
>
>When a user downloads a .CHM file using Internet Explorer (or another
>browser) Windows will mark an NTFS meta-data flag for the file, which
>indicates the file should be "Locked". Locked Help Files will not render any
>content within the CHM file using the Help File Viewer (hh.exe) until a user
>selects the file in Explorer and clicks the "Unblock" button under the files
>properties, which resets the NTFS meta-data flag.
>
>This security feature can be bypassed by referencing external URI handlers
>from the CHM file's Table of Contents file, and links can directly accessed
Where: Remote
======================================================================
3) Vendor's Description of Software
"Okular is a universal document viewer based on KPDF for KDE 4.".
Product Link:
http://okular.kde.org/
======================================================================
attackers to execute arbitrary code or cause a Denial of Service.
Background
==========
Evince is a document viewer for multiple document formats, including
PostScript.
Affected packages
=================
NTFS volume. This 'feature' is present in Windows XP, Vista and 7.
When a user downloads a .CHM file using Internet Explorer (or another browser)
Windows will mark an NTFS meta-data flag for the file, which indicates
the file should be "Locked". Locked Help Files will not render any
content within the CHM file using the Help File Viewer (hh.exe) until
a user selects the file in Explorer and clicks the "Unblock" button
under the files properties, which resets the NTFS meta-data flag.
This security feature can be bypassed by referencing external URI handlers
from the CHM file's Table of Contents file, and links can directly accessed
PASSCODE LOCK:
An ability to protect your files from viewing by others.
UNIVERSALITY:
This app is developed for both iPhone and iPad, you need to purchase only once.
AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and
support most of the file operations: like delete, move, copy, email, share, zip, unzip and more.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
Good point, but this should not be a problem if
the application service provider uses a dedicated
RegisteredDomain for the particular application.
>being able to sandbox each document+viewer combo is great. I think you
>should do some usability testing with your suggestion that the file
>retrieval session record be deleted when the document is accessed,
> though.
>This is very likely to cause problems with user agents like Internet
> Explorer
Using different ports can be a little tricky; corporate firewall admins
are very fond of disallowing https to atypical ports, for instance. Your
hostname suggestion has other benefits if you're able to mitigate other
risks (e.g., SSO cookies scoped for all RegisteredDomain hostnames) --
being able to sandbox each document+viewer combo is great. I think you
should do some usability testing with your suggestion that the file
retrieval session record be deleted when the document is accessed, though.
This is very likely to cause problems with user agents like Internet Explorer
that have aggressive anti-caching stances for https content, and I imagine
could easily cause trouble for things like chunked partial requests. I'd
Lotus Notes versions 6.0, 6.5, 7.0, 8.0, 8.5 are vulnerable.
V. WORKAROUND
A workaround is available to disable RTF documents within the Lotus
Notes file viewer: <BR> <BR> Open the keyview.ini file in the Lotus
Notes program data directory (C:\Program Files\IBM\Lotus\Notes\Data) and
comment out all references to rtfsr.dll. To comment out a reference,
proceed the line with a semi-colon ';'.
VI. VENDOR RESPONSE
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Lotus Notes Email Client. User
interaction is required to exploit this vulnerability in that the target
must open a malicious email attachment.
The specific flaw exists within the Lotus Notes file viewer utilizing
the KeyView SDK to render a malformed .wk3 document. The application
will mistrust a length used to allocate a buffer. Later, the application
will use a differently calculated length in a copy used to initialize
that buffer. This leads to a buffer overflow and can lead to code
execution under the context of the application.
VIII) POC and attack code
- Blacklist extension check for reading
This POC will expose the bypass of a file viewer that blacklists certain
file extensions.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
parameter in a RestoreFile action to index.cgi (CVE-2011-5081).
Cross-site scripting (XSS) vulnerability in View.pm in BackupPC 3.0.0,
3.1.0, 3.2.0, 3.2.1, and possibly earlier allows remote attackers to
inject arbitrary web script or HTML via the num parameter in a view
action to index.cgi, related to the log file viewer (CVE-2011-4923).
Also, This update package corrects/improves the definition of
variables in config.pl, the configuration file of backuppc: the
variables SshPath, SmbClientPath, NmbLookupPath, TarClientPath,
TopDir. As a result, backuppc should now run with the default values
arbitrary code.
Background
==========
Xpdf is a PDF file viewer that runs under the X Window System.
Affected packages
=================
-------------------------------------------------------------------
|
