|
Vulnerability WebPlus Affected Talentsoft WebPlus Application Server Description Followig is based on a Delphis Consulting Advisory DST2K0032. It is possible to cause Webplus to reveal the physical path which it is installed within. This is done by executing the CGI application and passing a single. Example: http://127.0.0.1/cgi-bin/webplus.exe?script=. This will respond with an error message detailing the physical path. If your server is being NAT'd (i.e. located behind a firewall/load balancer) it is possible to retrieve your internal IP address by passing the about option to the cgi application. Example: http://127.0.0.1/cgi-bin/webplus.exe?about It is possible to cause Webplus to reveal the source code of the WML files which are located on NTFS partitions. This is done by appending the data stream you wish on to the WML file. Example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.wml::$DATA The danger here as the Delphis team have demonstrated is being able to access DSN information (datasource, table names, usernames & passwords). It is also possible if the Script root has been set to the webroot to read the source code of other script files (i.e. ASP). Example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.asp::$DATA Solution Delphis are happy to announce that Talentsoft has a patch for the above ::$DATA issue. The following was information recieved from the vendor. You require build 542 (to fully disable the parsing of ::$DATA requires using a newly rebuilt webplus.dll in addition to the use of build 542 of webpsvc.exe web+ server)). If you have any issues obtaining this patch please contact Talentsoft support.