Security Advisory WEE-2014-7

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Revision: 1.0 Last Updated: 25 July 2014 First Published: 25 July 2014 Summary: A security issue was found in the Web Encryption Extension. Authenticated users are able to modify the content of https request fields to insert code into the pipeline mechanism of PHP. Severity: High Affected Software Versions: All versions of the Web Encryption Extension prior to version 3.0 Impact: Authenticated users of the Web Encryption Extension are able to inject code into user provided input, that will be executed with web server permissions. Fixes: The vulnerability has been fixed in WEE version 3.0, upgrades to this version must replace all active instances of WEE. The following downloads are available: Risk Mitigation: While using vulnerable versions of WEE, users are advised to disable non-authenticated access like guest and demo accounts to the software. (c) 2014 Senderek Web Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJT0qBIAAoJECyxzx4lRhdKttgQAJN4rhgyjCuh1TQuENpRaAtB nHLNABaXvn6jvCmPX9Rqqk7JxS29mLfg5pbSZ6sxAEPudRDoecleVeKDgXfU+CLb Uf6RCR9dj17OVy7CmZ05BKXX/Fv3VLk8H2OaIZz2P+vTp8ww4wWAWT3YnI6cuXg5 RLmyHTMk+sMN7eOXNq0uKkM+YArrryaAiVAb71s28z4VSAf5v0KtxBKIu8JlHV3w hd7/SAIfxT8RTZVCLDh9uUpBpPNYgYEV0vd4OhzDVExT0w/aK1YT295+jZ8dmmnX n+8wc7wkiQqQ8LGedEAdZdrgTAwLRfwTwh1mfRvmQ4pnYcwcjiBHT33S/L/WBa72 EMYBhkfcH6STLR0IVbklPZxHpbRlItbUvHG6ZCZ9+Pnh8baTtkuetXKb12zHW17l nBpd+ecQZKZ8/XKf1uZGD+8C7EX0GEscV9V1yygz2OawMSx6Rmg7EmPZV1NprF05 prQ4uMSDIeF/2Ufy99fas7Wgl0qa0IZXQkOGM3MaDI+CXMR6P7fIo8WxZJ6NQk1S /BHy8G4eKPed3pL3g1UhHZeuVA9NIuU3jGPvIJk2H0T2rtjmwUKLQLpAxkm+Zd4O cziXn1ej8CdMKDDBKyMBSLjz44f3Ctj1eBWEN+sjE7Oky2EPRuYSs2ASh/Xsea5w OauMHb9f1XN+hvUwOJmX =wGyi -----END PGP SIGNATURE-----