idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
In early January 2015 researchers of Prof. Dr. Jean-Pierre Seifert's chair of Security in Telecommunications at the Institute of Software-Engineering and Theoretical Computer Science discovered two vulnerabilities in Sharelatex[0]. Sharelatex is a software used for the collaborative creation of scientific documents. It is utilized by scientists in many research institutes around the world, including Ivy-League Universities and NASA. The open-source version found its way to further research institutes with national and international reputation.
Prof. Dr. Seifert's group demonstrated that the underlying text-processing software allows an attacker to read arbitrary files on an affected server. Even though this already constitutes a dramatic error on systems harboring future scientific publications, they found a second vulnerability that allows attackers to execute arbitrary code on the server.
In coordination with cert.org these issues were directly communicated to the developers of Sharelatex, who immediately patched the vulnerabilities. To allow all affected parties to secure their systems, it was decided to postpone publication until today, 2nd of March 2015. At the same time sharelatex publishes version 0.1.3 of their software, which includes the necessary patches.
Technical Details:
Arbitrary file read was possible via the LaTeX-command "\include{}", and the vulnerability is tracked as CVE-2015-0933. Remote Code Execution was possible via filenames of the form "`command`.tex" and is tracked as CVE-2015-0934.
For further information please contact:
Prof. Dr. Jean-Pierre Seifert
TU Berlin
Chair of Security in Telecommunications
Tel.: 030/8353-58481
E-Mail: tfiebig@sec.t-labs.tu-berlin.de
Criteria of this press release:
Journalists
Information technology
transregional, national
Transfer of Science or Research
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
