-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sword & Shield Enterprise Security, Inc. - Security Advisory www.sses.net, Copyright (c) 2000 Advisory: TalentSoft Web+ Input Validation Bug Vulnerability Release Date: April 12, 2000 Application: webpsvr Severity: A remote user can access web server files arbitrarily. Status: Fix available from vendor SUMMARY - ------- The TalentSoft Web+ server allows users to read arbitrary data files on the Web server running the webpsvr daemon. By entering a crafted URL any user with a browser can retrieve files that the webpsvr daemon itself has access to. DESCRIPTION - ----------- The webpsvr daemon is the driving process for the TalentSoft, Inc. web based e-commerce software. The Web+ server runs under a standard web server, such as Apache. Users run a CGI script called webplus (webplus.exe on Windows), which communicates with webpsvr to serve up the web pages for the electronic store that is implemented by Web+. In a typical installation of Web+, the following URL will bring up the Web+ storefront: http://yourhost.com/cgi-bin/webplus?script=/script_dir/store.wml The webpsvr daemon is handed the script variable, and serves up the generated page. Through use of the string ".." a URL can be crafted that will allow any browser to see arbitrary files on the web server. For example, the URL: http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd will display the contents of the file /etc/passwd if read access is available to the webpsvr daemon. If webpsvr is running under the root userid, this essentially means that *any* file on the system can be viewed by any user (local or remote). It should be noted that the default installation of Web+ will have webpsvr run as user "nobody", and not root, so the scope of the vulnerability is reduced to group owned and world readable files. IMPACT - ------ The impact of this bug can be quite severe. Since this is an e-commerce package it will likely be used on web sites that are accessible to any IP address world wide, and this bug will allow users to gather vital information about the system running the Web+ software that could be used in exploits against the system. RESOLUTION - ---------- A fix for this bug does exist, and can be obtained by contacting TalentSoft support at [EMAIL PROTECTED] The web address for TalentSoft is www.talentsoft.com - further contact information is available there. AFFECTED VERSIONS and SYSTEMS - ----------------------------- This bug is known to exist in Web+ 4.X as of March 1999, and is believed, though unverified, to exist in all previous versions. The vulnerability was tested and confirmed on a RedHat 6.1 Linux system. The latest webpsvr binary that is known to contain this bug is Build 506. Build information can be obtained by entering the URL: http://yourhost.com/cgi-bin/webplus?about The fixed version of the webpsvr daemon will be released in build 512 or later. ACKNOWLEDGEMENTS - ---------------- The bug discovery, test, demonstration, vendor coordination, and advisory generation are the results of SSES, Inc. security engineers Dennis Edmonds, Karl Allen, and Matt Smith. DISCLAIMER - ---------- Although SSES, Inc. intends to provide accurate information, this advisory does not claim to be complete or usable for any purpose. NO WARRANTY - ----------- This advisory is provided on an "as is" basis. SSES, Inc. makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. SSES, Inc. does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. The supplied advisory is not to be used for malicious purposes and should be used for informational purposes only. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.2 iQA/AwUBOPTTFSNIe6YN5etXEQKtigCgz6IEFgrH8azIXEsmtOggpNFvD4kAoNAZ 9H67LZrKo+xNoKtkIv9xtshd =DdXi -----END PGP SIGNATURE-----