Vulnerability

    Webplus

Affected

    Talentsoft Web+ Application

Description

    Following  is  based  on  a  Delphis  Consulting Security Advisory
    DST2K0042.   If the  default example  scripts are  installed it is
    possible  to  execute/read  any  file  which Web+ user (default is
    'nobody') has access to using the Web+Ping example.

    To exploit  simply place  a '|'  after the  parameter you which to
    provide to ping and then the command you wish to execute, e.g:

        - Goto: http://target/cgi-bin/webplus.cgi?Script=/webplus/webping/webping.wml
        - Then type in host destination box: 127.0.0.1 | cat /etc/passwd

    You will then  be presented with  the contents of  the /etc/passwd
    file.  It is not possible to exploit this vulnerability under  the
    WindowsNT edition due to the fact  that it does not seem to  run a
    command  shell  but  rather  a  CreateProcess  call  to  allow the
    application to run.

Solution

    Vendor  is  in  the  process  of  modifying this script, but it is
    recommend it that users on  servers disable the webrun command  in
    the  webplus  server  admin  area  for best protection against the
    exploitation of the example scripts.  TalentSoft will be providing
    details of how to do the above at the below URL:

        http://developer.talentsoft.com/security.html