IDrive Online Backup ActiveX Control < 3.4.1 Arbitrary File Overwrite
High Nessus Plugin ID 55549
SynopsisThe remote Windows host has an ActiveX control that allows overwriting arbitrary files.
DescriptionThe version of IDrive installed on the remote Windows host is earlier than 3.4.1 and includes a third-party ActiveX control named UniBasicPack.UniTextBox from CyberActiveX with an insecure method.
Specifically, the 'SaveToFile()' method can be abused to overwrite arbitrary files.
Note that this control implements IObjectSafety, which reports that it is safe for both initialization and scripting, even though it is not marked as such in the registry itself.
SolutionUpgrade to IDrive 3.4.1 or later, which does not include the control.