SPI Dynamics Security Bulletin SPI-0001-07282005

Issue:
Potential WebInspect Cross Application Scripting (XAS) Vulnerability

Severity:
Low

Potential Impact:
Remote Code Execution

Recommendation:
All customers should run SmartUpdate to ensure they are running the
latest version of WebInspect (5.5.386 or later).

Affected Software:
WebInspect 5.0.196

Non-Affected Software:
WebInspect 5.5
QAInspect (all versions)
DevInspect (all versions)
SecureObjects (all versions)
AMP (all versions)

Description:
SPI Dynamics has investigated a public report of a Cross Application
Scripting (XAS) vulnerability in WebInspect. We have verified that
WebInspect 5.5 (released May 16th, 2005) is not vulnerable however
WebInspect version 5.0.196 was susceptible. We recommend all customers
upgrade to WebInspect 5.5 which can be performed automatically at any
time by running SmartUpdate.

Background:
Cross application scripting (XAS) is possible when an application
executes data in a security context different from the original content
(presumably one with less security restrictions). For example the data
may be obtained from an un-trusted source (a remote web server) that is
sent unfiltered into a trusted application such as when web content is
downloaded from a remote server, and then re-displayed on the local
host. Any application that downloads and then later displays and
executes web content (such as JavaScript) may be vulnerable to XAS.

Disclosure Timeline:
April 15, 2005 08:01 AM – Initial disclosure to SPI Dynamics
April 15, 2005 09:28 AM – Initial SPI Dynamics response
July 26, 2005 04:45 AM– Public posting of disclosure (not coordinated
with SPI Dynamics)

Acknowledegements:
SPI Dynamics wishes to thank Sergey V. Gordeychik for informing us of
this vulnerability

Disclaimer:
The information provided in this bulletin is provided "as is" without
warranty of any kind. SPI Dynamics, Inc. disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall SPI Dynamics,
Inc. or its suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if SPI Dynamics, Inc. or its suppliers have been
advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

Revisions:
V1.0 (July 27, 2005): Internal Release
V1.1 (July 28, 2005): Bulletin published

Contact:
Security issues and questions related to security bulletins may be sent
to SPI Dynamics at security-alert@spidynamics.com