============================================================================ Delphis Consulting Plc ============================================================================ Security Team Advisories [19/09/2000] securityteam@delphisplc.com [http://www.delphisplc.com/thinking/whitepapers/] ============================================================================ Adv : DST2K0032 Title : Multiple Issues with Talentsoft WebPlus Application Server Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows Nt 2000 Professional (SP1) / Linux Product : Web+ Server Version: 4.6 Client-Server NT (webpsvc.exe Build 539) Web+ Monitor Version: 4.6 Client-Server NT (Build 14) Web+ Client Version: 4.6 NT (Build 25) Date : 19/09/2000 I. Description II. Solution III. Disclaimer ============================================================================ I. Description ============================================================================ Vendor URL: http://www.talentsoft.com Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerability in Webplus under Windows NT. Severity: low - Path revealing It is possible to cause Webplus to reveal the physical path which it is installed within. This is done by executing the CGI application and passing a single . example: http://127.0.0.1/cgi-bin/webplus.exe?script=. This will respond with an error message detailing the physical path. Severity: low - Internal IP address leakage If your server is being NAT'd (i.e. located behind a firewall/load balancer) it is possible to retrieve your internal IP address by passing the about option to the cgi application. example: http://127.0.0.1/cgi-bin/webplus.exe?about Severity: medium - Source code viewing on NTFS partitions It is possible to cause Webplus to reveal the source code of the WML files which are located on NTFS partitions. This is done by appending the data stream you wish on to the WML file. example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.wml::$DATA The danger here as the Delphis team have demonstrated is being able to access DSN information (datasource, table names, usernames & passwords). It is also possible if the Script root has been set to the webroot to read the source code of other script files (i.e. ASP). example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.asp::$DATA II. Solution ============================================================================ Vendor Status: Informed Delphis are happy to announce that Talentsoft has a patch for the above ::$DATA issue. The following was information recieved from the vendor. You require build 542 (to fully disable the parsing of ::$DATA requires using a newly rebuilt webplus.dll in addition to the use of build 542 of webpsvc.exe web+ server)). If you have any issues obtaining this patch please contact Talentsoft support. III. Disclaimer ============================================================================ THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged.Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee.If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately.E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis