-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Remote Code Execution (RCE) via Unrestricted File Upload" (CWE-434) vulnerability
in "Intrexx Professional" product
United Planet GmbH
"Intrexx is an integrated cross-platform development environment for the creation
and operation of web-based applications, enterprise portals and intranet portals."
This vulnerability affects versions of Intrexx Professional 6.0 (prior to Online Update 10)
and 5.2 (prior to Online Update 0905)
The vendor has released the following fixes:
"Online Update 10" or later for Intrexx Professional 6.0 users
"Online Update 0905" or later for Intrexx Professional 5.2 users
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.
Critical
Exploitable by unauthenticated attackers
Using an unrestricted file upload it is possible to execute arbitrary code on the remote server
by uploading and remotely executing a malicious file that contains code by the attacker.
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.
http://www.christian-schneider.net/advisories/CVE-2014-2025.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQIcBAEBAgAGBQJUjhBQAAoJEEDB74comLC+RLUQAIIt8gm+rbqfSVlX8lv3Keu2
smwtyRzaflCY14T69ZIcoUnaTg3qZTTWKb+f5AQ5aNh4RtPqvebw/Ws6eV9kUXtp
O3mvNSWOtMGVl5ILjtymFimE0HL00HezywLvpetq09uLDq0mQ/oiw0SEY7fcTGZs
QFJD/nuLdVDmiUm7jXal0SIQKpGPKgGRaYgQ4rY0p5UK6lOYFWvC7tzFjzyYYN2l
yBbzctu32souLQvb1NBoro7+m3O1nLZdygCiDAFWjs16PJqIGCYBR76M/hp17xjV
BuMIlqv48V6ovdIMhAGVyVkU1sHwBTwII5pS/gTM8/0z1mQ5HbAQJuadxRGOTSMt
hIElbEclzaOq/IyU5PuXN3dBN8HtGhdGydoI5NYPauQnPk1PAAeyn6o+ymrscKee
Ab5qO2PGAGHuzEsFy+NiLIsNkEHsUx39x5OrSFoG7y7Duhn1NZk1aDtaxooYupGG
1bz7Fte/trW9a0fhgns23jIswe/frL+f8gOteb8F8eZR8KV1i++Oe7bSpAKDSLOC
7vvkC0jBHL/8N3kcHkEZHEvlNL7yiYReU+o86M0ZcC+j5OsrLwKxoAAEl5wHmgaT
HanS8wr+C2h07TIwwdfk6TeZpUUjTnP0PLm/QSVbZ5klpt8myugMH0QcAMInGdBQ
gridV298e9Sgt9yettqF
=R/wg
-----END PGP SIGNATURE-----