TU Berlin Researchers Discover Vulnerability in Sharelatex

idw-News App:

Share on:

03/02/2015 14:32

TU Berlin Researchers Discover Vulnerability in Sharelatex

Stefanie Terp Stabsstelle Presse, Öffentlichkeitsarbeit und Alumni
Technische Universität Berlin

In early January 2015 researchers of Prof. Dr. Jean-Pierre Seifert's chair of Security in Telecommunications at the Institute of Software-Engineering and Theoretical Computer Science discovered two vulnerabilities in Sharelatex[0]. Sharelatex is a software used for the collaborative creation of scientific documents. It is utilized by scientists in many research institutes around the world, including Ivy-League Universities and NASA. The open-source version found its way to further research institutes with national and international reputation.

Prof. Dr. Seifert's group demonstrated that the underlying text-processing software allows an attacker to read arbitrary files on an affected server. Even though this already constitutes a dramatic error on systems harboring future scientific publications, they found a second vulnerability that allows attackers to execute arbitrary code on the server.

In coordination with cert.org these issues were directly communicated to the developers of Sharelatex, who immediately patched the vulnerabilities. To allow all affected parties to secure their systems, it was decided to postpone publication until today, 2nd of March 2015. At the same time sharelatex publishes version 0.1.3 of their software, which includes the necessary patches.

Technical Details:
Arbitrary file read was possible via the LaTeX-command "\include{}", and the vulnerability is tracked as CVE-2015-0933. Remote Code Execution was possible via filenames of the form "`command`.tex" and is tracked as CVE-2015-0934.

For further information please contact:
Prof. Dr. Jean-Pierre Seifert
TU Berlin
Chair of Security in Telecommunications
Tel.: 030/8353-58481
E-Mail: tfiebig@sec.t-labs.tu-berlin.de

Images

Criteria of this press release:
Journalists
Information technology
transregional, national
Transfer of Science or Research
English

Extent of search

Search in Press Releases Search in Events

Type of press release

Types of events

Subject areas

- Advanced scientific education [i]
- Contests / awards [i]
- Cooperation agreements [i]
- Miscellaneous scientific news/publications [i]
- Organisational matters [i]
- Personnel announcements [i]
- Press events [i]
- Research projects [i]
- Research results [i]
- Schools and science [i]
- Science policy [i]
- Scientific conferences [i]
- Scientific Publications [i]
- Studies and teaching [i]
- Transfer of Science or Research [i]
- Select all
- (Student) information event / Fair [i]
- Conference / symposium / (annual) conference
- Excursion
- Exhibition / cultural event / festival [i]
- Presentation / colloquium / lecture [i]
- Press conferences [i]
- Programms for children + young people [i]
- Seminar / workshop / discussion [i]
- Select all
- Art / design [i]
- Biology [i]
- Chemistry [i]
- Construction / architecture [i]
- Cultural sciences [i]
- Economics / business administration [i]
- Electrical engineering [i]
- Energy [i]
- Environment / ecology [i]
- Geosciences [i]
- History / archaeology
- Information technology [i]
- Language / literature [i]
- Law [i]
- Materials sciences [i]
- Mathematics [i]
- Mechanical engineering [i]
- Media and communication sciences [i]
- Medicine [i]
- Music / theatre [i]
- Nutrition / healthcare / nursing [i]
- Oceanology / climate [i]
- Philosophy / ethics [i]
- Physics / astronomy [i]
- Politics [i]
- Psychology [i]
- Religion [i]
- Social studies [i]
- Sport science [i]
- Teaching / education [i]
- Traffic / transport [i]
- Zoology / agricultural and forest sciences [i]
- interdisciplinary [i]
- Select all

Date of publication

Start date

End date

- Austria
- Denmark
- France
- Germany
- Hungary
- Israel
- Italy
- Japan
- Liechtenstein
- Luxembourg
- Netherlands
- Sweden
- Switzerland
- United Kingdom
- other
- Select all
- English
- German
- Baden-Württemberg
- Bayern
- Berlin
- Brandenburg
- Bremen
- Hamburg
- Hessen
- Mecklenburg-Vorpommern
- Niedersachsen
- Nordrhein-Westfalen
- Rheinland-Pfalz
- Saarland
- Sachsen
- Sachsen-Anhalt
- Schleswig-Holstein
- Thüringen
- Select all
- Burgenland
- Carinthia
- Lower Austria
- Salzburg
- Styria
- Tyrol
- Upper Austria
- Vienna
- Vorarlberg
- Select all
- Aargau
- Appenzell Ausserrhoden
- Appenzell Innerrhoden
- Basel-Landschaft
- Basel-Stadt
- Bern
- Fribourg
- Geneva
- Glarus
- Graubünden
- Jura
- Lucerne
- Neuchâtel
- Nidwalden
- Obwalden
- Schaffhausen
- Schwyz
- Solothurn
- St. Gallen
- Thurgau
- Ticino
- Uri
- Valais
- Vaud
- Zug
- Zürich
- Select all

Selected relevance for distribution when published

Target groups

- local
- regional
- transregional, national
- international
- Select all
- Business and commerce
- Journalists
- Scientists and scholars
- Students
- Teachers and pupils
- all interested persons
- Select all

idw-News App:

TU Berlin Researchers Discover Vulnerability in Sharelatex

Stefanie Terp Stabsstelle Presse, Öffentlichkeitsarbeit und Alumni Technische Universität Berlin

Advanced Search

Extent of search

Date of publication

Help

Search / advanced search of the idw archives

Combination of search terms

Brackets

Phrases

Selection criteria

Stefanie Terp Stabsstelle Presse, Öffentlichkeitsarbeit und Alumni
Technische Universität Berlin