COMMAND

	Talentsoft\'s Web+ remote buffer overflow via cookie

SYSTEMS AFFECTED

	Talentsoft\'s Web+ v5.0

PROBLEM

	In  David   Litchfield   of   NGSSoftware   [http://www.ngssoftware.com]
	advisory [#NISR17042002B] :
	

	By requesting a WML file from a web server and supplying an overly  long
	cookie, an internal buffer is overflowed,  overwriting  a  saved  return
	address on the stack. On procedure return control over  the  web  server
	process\' execution can be gained. If the server is running  IIS  4  and
	using the Web+ ISAPI filter, then inetinfo.exe is the process  captured.
	As this runs as SYSTEM, any  code  supplied  by  an  attacker  will  run
	uninhibited. If IIS 5.0 then the process is dllhost.exe  which  runs  in
	the context of the IWAM_* account. As this has  limited  privileges  the
	risk is reduced. If the Web+ environment is set  up  using  the  webplus
	CGI executable, webplus.exe, on either server, then, again, the risk  is
	reduced.

SOLUTION

	Talentsoft have created a patch for this problem, see
	 

	http://www.talentsoft.com/download/download.en.wml