Vulnerability

    WebPlus

Affected

    Talentsoft WebPlus Application Server

Description

    Followig  is  based  on  a  Delphis Consulting Advisory DST2K0032.
    It is possible to cause Webplus to reveal the physical path  which
    it  is  installed  within.   This  is  done  by  executing the CGI
    application and passing a single.  Example:

        http://127.0.0.1/cgi-bin/webplus.exe?script=.

    This will  respond with  an error  message detailing  the physical
    path.

    If your server is being NAT'd (i.e. located behind a firewall/load
    balancer) it is possible to  retrieve your internal IP address  by
    passing the about option to the cgi application.  Example:

        http://127.0.0.1/cgi-bin/webplus.exe?about

    It is possible to cause Webplus  to reveal the source code of  the
    WML files which are located on  NTFS partitions.  This is done  by
    appending the data stream you wish on to the WML file.  Example:

        http://127.0.0.1/cgi-bin/webplus.exe?script=test.wml::$DATA

    The danger  here as  the Delphis  team have  demonstrated is being
    able to access DSN information (datasource, table names, usernames
    & passwords).  It is also possible if the Script root has been set
    to the webroot to read the source code of other script files (i.e.
    ASP).  Example:

        http://127.0.0.1/cgi-bin/webplus.exe?script=test.asp::$DATA

Solution
    Delphis are happy to announce that Talentsoft has a patch for  the
    above ::$DATA issue.  The following was information recieved  from
    the vendor.

    You require  build 542  (to fully  disable the  parsing of ::$DATA
    requires using a newly rebuilt webplus.dll in addition to the  use
    of build 542 of webpsvc.exe web+ server)).

    If  you  have  any  issues  obtaining  this  patch  please contact
    Talentsoft support.