Web Encryption Extension security update

Revision:         1.0
Last Updated:     25 July 2014
First Published:  25 July 2014

Summary:
        A security issue was found in the Web Encryption Extension.

        Authenticated users are able to modify the content of https request
        fields to insert code into the pipeline mechanism of PHP.


Severity:         High


Affected Software Versions:

        All versions of the Web Encryption Extension prior to version 3.0


Impact:

        Authenticated users of the Web Encryption Extension are able to
        inject code into user provided input, that will be executed with
        web server permissions.


Fixes:

        The vulnerability has been fixed in WEE version 3.0, upgrades to
        this version must replace all active instances of WEE.

        The following downloads are available:

        https://senderek.ie/downlaods/latest/wee-3.0.tar
        https://senderek.ie/downloads/release/webmail/wee-roundcube.tar
        https://senderek.ie/downloads/release/cloud/wee-owncloud.tar
        https://senderek.ie/downloads/release/db/wee-phpmyadmin.tar
        https://senderek.ie/downloads/release/contact/securecontact.tar
        https://senderek.ie/downloads/release/webmail/wee-atmailopen.tar
        https://senderek.ie/downloads/release/webmail/wee-vtiger.tar



Risk Mitigation:

        While using vulnerable versions of WEE, users are advised to disable
        non-authenticated access like guest and demo accounts to the software.

(c) 2014 Senderek Web Security