WeOnlyDo SFTP ActiveX Control Remote Arbitrary File Access Vulnerability

Bugtraq ID:	18192
Class:	Access Validation Error
CVE:	CVE-2006-1175
Remote:	Yes
Local:	No
Published:	May 31 2006 12:00AM
Updated:	May 31 2006 11:17PM
Credit:	Will Dormann is credited with the discovery of this vulnerability.
Vulnerable:	WeOnlyDo! wodSFTP ActiveX component 3
Not Vulnerable:

WeOnlyDo SFTP ActiveX Control Remote Arbitrary File Access Vulnerability

The wodSFTP ActiveX control is prone to an arbitrary file-access vulnerability.

An attacker can exploit this issue to upload arbitrary files to a victim user's computer or to download arbitrary files from the victim's computer in the context of the vulnerable application using the ActiveX control.

WeOnlyDo SFTP ActiveX Control Remote Arbitrary File Access Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

WeOnlyDo SFTP ActiveX Control Remote Arbitrary File Access Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

WeOnlyDo SFTP ActiveX Control Remote Arbitrary File Access Vulnerability

References:

• INFO: How Internet Explorer Determines If ActiveX Controls Are Safe (Microsoft)
  
• Microsoft Knowledge Base Article 240797 (Microsoft)
  
• Vulnerability Note VU#378604 - WeOnlyDo! SFTP ActiveX control fails to properly (US-CERT)
  
• wodSFTP Homepage (WeOnlyDo!)