----- Forwarded message from "Whitehouse, Ollie" ----- Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Mailer: Internet Mail Service (5.5.2650.21) Date: Thu, 28 Sep 2000 17:13:46 +0100 Reply-To: "Whitehouse, Ollie" From: "Whitehouse, Ollie" Subject: DST2K0042: Possible to read/execute any file with Talentsoft Web+ Application Server example scripts. X-To: "win2ksecadvice@LISTSERV.NTSECURITY.NET" , "NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM" To: BUGTRAQ@SECURITYFOCUS.COM ============================================================================ Delphis Consulting Plc ============================================================================ Security Team Advisories [26/09/2000] securityteam@delphisplc.com [http://www.delphisplc.com/thinking/whitepapers/] ============================================================================ Adv : DST2K0042 Title : Possible to read any file with Talentsoft Web+ Application Server example scripts. Author : DCIST (securityteam@delphisplc.com) O/S : Affected: Linux Not Affected: Microsoft Windows NT Product : 4.6 Client-Server Linux (webpsvr Build 539) 4.6 Linux (Build 25) Date : 26/09/2000 I. Description II. Solution III. Disclaimer ============================================================================ I. Description ============================================================================ Vendor URL: http://www.talentsoft.com/ Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerability in Web+ Application Server under Linux. Severity: High If the default example scripts are installed it is possible to execute/read any file which Web+ user (default is 'nobody') has access to using the Web+Ping example. To exploit simply place a '|' after the parameter you which to provide to ping and then the command you wish to execute. e.g: Goto: http://target/cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml Then type in host destination box: 127.0.0.1 | cat /etc/passwd You will then be presented with the contents of the /etc/passwd file. It is not possible to exploit this vulnerability under the WindowsNT edition due to the fact that it does not seem to run a command shell but rather a CreateProcess call to allow the application to run. II. Solution ============================================================================ Vendor Status: Informed Vendor solution below: "We are in the process of modifying this script, but are recommending that users on servers disable the webrun command in the webplus server admin area for best protection against the exploitation of the example scripts. We are also in the process of modifying these scripts to be more secure." TalentSoft will be providing details of how to do the above at the below URL. TalentSoft Security Section: http://developer.talentsoft.com/security.html III. Disclaimer ============================================================================ THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged.Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee.If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately.E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis ----- End forwarded message -----