|
Vulnerability webpsvr Affected TalentSoft Web+ Description Following is based on Security Advisory by Sword & Shield Enterprise Security. The TalentSoft Web+ server allows users to read arbitrary data files on the Web server running the webpsvr daemon. By entering a crafted URL any user with a browser can retrieve files that the webpsvr daemon itself has access to. The webpsvr daemon is the driving process for the TalentSoft, Inc. Web based e-commerce software. The Web+ server runs under a standard web server, such as Apache. Users run a CGI script called webplus (webplus.exe on Windows), which communicates with webpsvr to serve up the web pages for the electronic store that is implemented by Web+. In a typical installation of Web+, the following URL will bring up the Web+ storefront: http://yourhost.com/cgi-bin/webplus?script=/script_dir/store.wml The webpsvr daemon is handed the script variable, and serves up the generated page. Through use of the string ".." a URL can be crafted that will allow any browser to see arbitrary files on the web server. For example, the URL: http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd will display the contents of the file /etc/passwd if read access is available to the webpsvr daemon. If webpsvr is running under the root userid, this essentially means that *any* file on the system can be viewed by any user (local or remote). It should be noted that the default installation of Web+ will have webpsvr run as user "nobody", and not root, so the scope of the vulnerability is reduced to group owned and world readable files. The impact of this bug can be quite severe. Since this is an e-commerce package it will likely be used on web sites that are accessible to any IP address world wide, and this bug will allow users to gather vital information about the system running the Web+ software that could be used in exploits against the system. This bug is known to exist in Web+ 4.X as of March 1999, and is believed, though unverified, to exist in all previous versions. The vulnerability was tested and confirmed on a RedHat 6.1 Linux system. The latest webpsvr binary that is known to contain this bug is Build 506. Build information can be obtained by entering the URL: http://yourhost.com/cgi-bin/webplus?about The bug discovery, test, demonstration, vendor coordination, and advisory generation are the results of SSES, Inc. security engineers Dennis Edmonds, Karl Allen, and Matt Smith. Solution This problem has been corrected in builds of webplus after 512. For those who need the upgraded binary, you can either contact support@talentsoft.com for a link to the patch, or obtain the patch from the web site (www.talentsoft.com).