WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
BID:21614
Info
WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
| Bugtraq ID: | 21614 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 15 2006 12:00AM |
| Updated: | Dec 15 2006 08:23PM |
| Credit: | Reported by the vendor. |
| Vulnerable: |
WeBWorK Online Homework Delivery System WeBWorK PG 2.3 WeBWorK Online Homework Delivery System WeBWorK PG 0 |
| Not Vulnerable: |
WeBWorK Online Homework Delivery System WeBWorK PG 2.3.1 |
Discussion
WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
WeBWorK Program Generation Language is prone to a security restriction-bypass vulnerability because the application fails to properly enforce restrictions in place to deter attackers from running arbitrary script code on affected computers.
Successfully exploiting this issue allows attackers to execute arbitrary script code in the context of the webserver hosting the vulnerable application. This may aid them in further attacks.
Since attackers must be able to modify the WeBWorK course files, only users with administrative privileges in the application's web interface can typically exploit this issue.
Versions of WeBWorK prior to 2.3.1 are vulnerable to this issue.
WeBWorK Program Generation Language is prone to a security restriction-bypass vulnerability because the application fails to properly enforce restrictions in place to deter attackers from running arbitrary script code on affected computers.
Successfully exploiting this issue allows attackers to execute arbitrary script code in the context of the webserver hosting the vulnerable application. This may aid them in further attacks.
Since attackers must be able to modify the WeBWorK course files, only users with administrative privileges in the application's web interface can typically exploit this issue.
Versions of WeBWorK prior to 2.3.1 are vulnerable to this issue.
Exploit / POC
WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
Attackers can use the affected web application itself to exploit this issue.
Attackers can use the affected web application itself to exploit this issue.
Solution / Fix
WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
Solution:
The vendor has released WeBWork PG 2.3.1 to address this issue. Please see the references for more information.
WeBWorK Online Homework Delivery System WeBWorK PG 0
WeBWorK Online Homework Delivery System WeBWorK PG 2.3
Solution:
The vendor has released WeBWork PG 2.3.1 to address this issue. Please see the references for more information.
WeBWorK Online Homework Delivery System WeBWorK PG 0
-
WeBWorK Online Homework Delivery System pg-2.3.1.tar.bz2
http://downloads.sourceforge.net/openwebwork/pg-2.3.1.tar.bz2?modtime= 1165952675&big_mirror=0
WeBWorK Online Homework Delivery System WeBWorK PG 2.3
-
WeBWorK Online Homework Delivery System pg-2.3.1.tar.bz2
http://downloads.sourceforge.net/openwebwork/pg-2.3.1.tar.bz2?modtime= 1165952675&big_mirror=0
References
WeBWorK Program Generation Language Macro Security Restriction Bypass Vulnerability
References:
References:
- Program Generation Language 2.3.1 (WeBWorK)
- WeBWorK Home Page (WeBWorK Online Homework Delivery System)