Client-side remote arbitrary file upload

SEC Consult Vulnerability Lab Security Advisory < 20111219-0 >


title: Client-side remote arbitrary file upload

product: SecCommerce SecSigner Java Applet

vulnerable version: 3.5.0 < build 2011/11/12

fixed version: 3.5.0 build


created 2011/11/25

impact: critical


found: 2011/10/21

by: E. Demeter / SEC Consult Vulnerability Lab

J. Greil / SEC Consult Vulnerability Lab




Vendor description:


"Qualified and advances electronic signatures may be created and validated

using SecSigner. Signing documents electronically allows for workflow

scenarios and contracting avoiding any media conversion. SecSigner 3.5.0 is

currently available on our web site.


For this version, a manufacturer's declaration according to German signature

law is available at the corresponding regulatory authority. The parent

version 2.0.0 has been certified by the German Federal Office for

Information Security (BSI)according to ITSEC E2/high."



Vulnerability overview/description:


The signed Java applet SecSigner uses the file "" to

configure certain settings of the applet. Amongst others, it is possible to

set the variable "seccommerce.resource", which defines a file that is loaded

during the execution of the applet to supply additional functionality.


If the setting "seccommerce.resource.localcopy" is set to "on", this file is

saved in the defined local temporary folder "%user%\.seccommerce" on the

client. It is however possible to define any different relative path (path

traversal) for that file. The only requirement that is needed is that the

same path also exists on the webserver the applet is executed from. Any

arbitrary file can be chosen to be used for the "seccommerce.resource" file.


An attacker is able to upload arbitrary files to an arbitrary path on the

victim's computer. E.g., if a malicious executable is uploaded to the Windows

"startup" folder, it is being executed at the next reboot.


This vulnerability is only a sample, no further investigations regarding the

security quality of the product have been performed.



Proof of concept:


No exploit code will be published.



Vulnerable / tested versions:


SecSigner 3.5.0



Vendor contact timeline:


2011-11-10: Contacting vendor through, asking for security


2011-11-10/2011-11-11: Exchanging emails & encryption key, sending security


2011-11-11: Explaining the vulnerability to the vendor, sending details that

it is exploitable

2011-11-12: Vendor releases first fixed version

2011-11-14: Contacting CERT

2011-11-12/25: Vendor releases newer versions

2011-12-19: Coordinated public release of advisory





Apply the fix of the vendor and only use the latest version:


Build 4551E033EB0836D845AF92CA85476821471EFD3F539CDDF89B813F5402FD8C1D

Version 3.5.0 created 2011/11/25






Only use the fixed version and invalidate the old Java applet certificate!


Remove the affected trusted certificate of SecSigner/SecCommerce from the Java

control panel (jcontrol) from all clients and add it to the Oracle Java





Don't fully trust signed Java applets (in general).



Advisory URL:





SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com


EOF E. Demeter, J. Greil / @2011