JVN#07426151: InfoCage SiteShell installs their files with improper access permissions

InfoCage SiteShell provided by NEC Corporation installs their files with improper access permissions (CWE-732).
Especially, the service executable files can be modified by Everyone users.

Impact

The service executable files may be modified by local users, resulting in arbitrary code execution with an elevated privilege.

Solution

Apply the Patch
Update the software to the appropriate revision according to the information provided by the developer.

The developer has released the following patches:

• V2.0.0.6
• V2.1.0.7
• V2.1.1.6
• V3.0.0.11
• V4.0.0.6
• V4.1.0.5
• V4.2.0.1
  According to the developer, V1.4, V1.5 and V1.6 are End-of-Standard-Support and no patches available, users should upgrade them to V2.0 or higher.

Products Affected

• Host type SiteShell for IIS V1.4
• Host type SiteShell for IIS V1.5
• Host type SiteShell for IIS V1.6
• Host type SiteShell for IIS prior to revision V2.0.0.6
• Host type SiteShell for IIS prior to revision V2.1.0.7
• Host type SiteShell for IIS prior to revision V2.1.1.6
• Host type SiteShell for IIS prior to revision V3.0.0.11
• Host type SiteShell for IIS prior to revision V4.0.0.6
• Host type SiteShell for IIS prior to revision V4.1.0.5
• Host type SiteShell for IIS prior to revision V4.2.0.1
• Host type SiteShell for Apache Windows V1.4
• Host type SiteShell for Apache Windows V1.5
• Host type SiteShell for Apache Windows V1.6
• Host type SiteShell for Apache Windows prior to revision V2.0.0.6
• Host type SiteShell for Apache Windows prior to revision V2.1.0.7
• Host type SiteShell for Apache Windows prior to revision V2.1.1.6
• Host type SiteShell for Apache Windows prior to revision V3.0.0.11
• Host type SiteShell for Apache Windows prior to revision V4.0.0.6
• Host type SiteShell for Apache Windows prior to revision V4.1.0.5
• Host type SiteShell for Apache Windows prior to revision V4.2.0.1