RemoteDocs R-Viewer Remote Code Execution and Information Disclosure Vulnerabilities

Bugtraq ID:	25591
Class:	Design Error
CVE:	CVE-2007-4750 CVE-2007-4751
Remote:	Yes
Local:	Yes
Published:	Sep 17 2007 12:00AM
Updated:	Sep 17 2007 10:00PM
Credit:	Adam Baldwin of Symantec is credited with the discovery of this vulnerability.
Vulnerable:	RemoteDocs R-Viewer 1.6.2836
Not Vulnerable:	RemoteDocs R-Viewer 1.6.3768

RemoteDocs R-Viewer Remote Code Execution and Information Disclosure Vulnerabilities

RemoteDocs R-Viewer is prone to an information-disclosure vulnerability and a remote code-execution vulnerability.

An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application and to gain access to sensitive information.

These issues affect R-Viewer 1.6.2836; prior versions may also be affected.

RemoteDocs R-Viewer Remote Code Execution and Information Disclosure Vulnerabilities

A specific exploit is not required for the information-disclosure issue. An attacker needs only local interactive access to an affected computer.

Currently we are not aware of any exploits for the remote code-execution issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

RemoteDocs R-Viewer Remote Code Execution and Information Disclosure Vulnerabilities

Solution:
The vendor released an update to address these issues. Please see the references for more information.

RemoteDocs R-Viewer Remote Code Execution and Information Disclosure Vulnerabilities

References:

• RemoteDocs R-Viewer Homepage (RemoteDocs)
  
• SYMSA-2007-009: RemoteDocs R-Viewer Code Execution and Sensitive ([email protected])