[ SOURCE: http://www.secureroot.com/security/advisories/9713652657.html ]

============================================================================
    Delphis Consulting Plc
============================================================================

   Security Team Advisories
       [26/09/2000]

    securityteam@delphisplc.com
  [http://www.delphisplc.com/thinking/whitepapers/]

============================================================================
Adv     :       DST2K0042
Title   :       Possible to read any file with Talentsoft Web+ Application
    Server example scripts.
Author  :       DCIST (securityteam@delphisplc.com)
O/S     :       Affected: Linux
    Not Affected: Microsoft Windows NT
Product :       4.6 Client-Server Linux (webpsvr Build 539)
    4.6 Linux (Build 25)
Date    :       26/09/2000

I.    Description

II.   Solution

III.  Disclaimer


============================================================================

I. Description
============================================================================

Vendor URL: http://www.talentsoft.com/

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerability in Web+ Application Server under Linux.

Severity: High

If the default example scripts are installed it is possible to execute/read
any file which Web+ user (default is 'nobody') has access to using the
Web+Ping example.

To exploit simply place a '|' after the parameter you which to provide to
ping and then the command you wish to execute.

e.g:
Goto:
http://target/cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml

Then type in host destination box:
127.0.0.1 | cat /etc/passwd

You will then be presented with the contents of the /etc/passwd file.

It is not possible to exploit this vulnerability under the WindowsNT
edition due to the fact that it does not seem to run a command shell
but rather a CreateProcess call to allow the application to run.

II. Solution
============================================================================

Vendor Status: Informed

Vendor solution below:

"We are in the process of modifying this script, but are recommending that
users on servers disable the webrun command in the webplus server admin
area for best protection against the exploitation of the example scripts.
We are  also in the process of modifying these scripts to be more secure."

TalentSoft will be providing details of how to do the above at the below
URL.

TalentSoft Security Section:
http://developer.talentsoft.com/security.html

III. Disclaimer
============================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================