[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Possible to read any file with Talentsoft Web+ Application

Title: Possible to read any file with Talentsoft Web+ Application
Released by: Delphis Consulting Plc
Date: 26th September 2000
Printable version: Click here 
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [26/09/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv     :       DST2K0042

Title   :       Possible to read any file with Talentsoft Web+ Application

    Server example scripts.

Author  :       DCIST (securityteam@delphisplc.com)

O/S     :       Affected: Linux

    Not Affected: Microsoft Windows NT

Product :       4.6 Client-Server Linux (webpsvr Build 539)

    4.6 Linux (Build 25)

Date    :       26/09/2000



I.    Description



II.   Solution



III.  Disclaimer





============================================================================



I. Description

============================================================================



Vendor URL: http://www.talentsoft.com/



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in Web+ Application Server under Linux.



Severity: High



If the default example scripts are installed it is possible to execute/read

any file which Web+ user (default is 'nobody') has access to using the

Web+Ping example.



To exploit simply place a '|' after the parameter you which to provide to

ping and then the command you wish to execute.



e.g:

Goto:

http://target/cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml



Then type in host destination box:

127.0.0.1 | cat /etc/passwd



You will then be presented with the contents of the /etc/passwd file.



It is not possible to exploit this vulnerability under the WindowsNT

edition due to the fact that it does not seem to run a command shell

but rather a CreateProcess call to allow the application to run.



II. Solution

============================================================================



Vendor Status: Informed



Vendor solution below:



"We are in the process of modifying this script, but are recommending that

users on servers disable the webrun command in the webplus server admin

area for best protection against the exploitation of the example scripts.

We are  also in the process of modifying these scripts to be more secure."



TalentSoft will be providing details of how to do the above at the below

URL.



TalentSoft Security Section:

http://developer.talentsoft.com/security.html



III. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================






(C) 1999-2000 All rights reserved.