OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: TalentSoft Web+ Input Validation Bug Vulnerability
From: John P. McNeely (jmcneelySSES.NET)
Date: Wed Apr 12 2000 - 14:48:37 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sword & Shield Enterprise Security, Inc. - Security Advisory
www.sses.net, Copyright (c) 2000

Advisory: TalentSoft Web+ Input Validation Bug Vulnerability
Release Date: April 12, 2000
Application: webpsvr
Severity: A remote user can access web server files arbitrarily.
Status: Fix available from vendor

SUMMARY
- -------
The TalentSoft Web+ server allows users to read arbitrary data files on
the Web server running the webpsvr daemon. By entering a crafted URL any
user with a browser can retrieve files that the webpsvr daemon itself has
access to.

DESCRIPTION
- -----------
The webpsvr daemon is the driving process for the TalentSoft, Inc. web
based e-commerce software. The Web+ server runs under a standard web
server, such as Apache. Users run a CGI script called webplus (webplus.exe
on Windows), which communicates with webpsvr to serve up the web pages
for the electronic store that is implemented by Web+. In a typical
installation of Web+, the following URL will bring up the
Web+ storefront:

        http://yourhost.com/cgi-bin/webplus?script=/script_dir/store.wml

The webpsvr daemon is handed the script variable, and serves up the
generated page. Through use of the string ".." a URL can be crafted that
will allow any browser to see arbitrary files on the web server. For
example, the URL:

        http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd

will display the contents of the file /etc/passwd if read access is available
to the webpsvr daemon. If webpsvr is running under the root userid, this
essentially means that *any* file on the system can be viewed by any user
(local or remote). It should be noted that the default installation of
Web+ will have webpsvr run as user "nobody", and not root, so the
scope of the vulnerability is reduced to group owned and world readable
files.

IMPACT
- ------
The impact of this bug can be quite severe. Since this is an e-commerce
package it will likely be used on web sites that are accessible to any
IP address world wide, and this bug will allow users to gather vital
information about the system running the Web+ software that could be
used in exploits against the system.

RESOLUTION
- ----------
A fix for this bug does exist, and can be obtained by contacting TalentSoft
support at supporttalentsoft.com.

The web address for TalentSoft is www.talentsoft.com - further contact
information is available there.

AFFECTED VERSIONS and SYSTEMS
- -----------------------------
This bug is known to exist in Web+ 4.X as of March 1999, and is
believed, though unverified, to exist in all previous versions.
The vulnerability was tested and confirmed on a RedHat 6.1 Linux system.
The latest webpsvr binary that is known to contain this bug is Build 506.
Build information can be obtained by entering the URL:

        http://yourhost.com/cgi-bin/webplus?about

The fixed version of the webpsvr daemon will be released in build 512
or later.

ACKNOWLEDGEMENTS
- ----------------
The bug discovery, test, demonstration, vendor coordination,
and advisory generation are the results of SSES, Inc. security engineers
Dennis Edmonds, Karl Allen, and Matt Smith.

DISCLAIMER
- ----------
Although SSES, Inc. intends to provide accurate information, this
advisory does not claim to be complete or usable for any purpose.

NO WARRANTY
- -----------
This advisory is provided on an "as is" basis. SSES, Inc. makes no
warranties of any kind, either expressed or implied as to any matter
including, but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use
of the material. SSES, Inc. does not make any warranty of any kind
with respect to freedom from patent, trademark, or copyright infringement.

The supplied advisory is not to be used for malicious purposes and
should be used for informational purposes only.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.2

iQA/AwUBOPTTFSNIe6YN5etXEQKtigCgz6IEFgrH8azIXEsmtOggpNFvD4kAoNAZ
9H67LZrKo+xNoKtkIv9xtshd
=DdXi
-----END PGP SIGNATURE-----