OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Update to DST2K0039: Webteachers Webdata: Importing files lower t han web root possible in to database
From: Security Team (SecurityTeamDELPHISPLC.COM)
Date: Tue Oct 03 2000 - 02:20:38 CDT


All,

We are happy to announce a vendor patch to our previous Advisory DST2K0039.

Delphis Advisory ID:
DST2K0039

Vendor Patch URL:
http://webteacher.com/webdata/ (click download)

Vendor Comments:
A new version of Webdata has been released. The security problem is
addressed in
the new version in the following manner.

Only the admin can use the "filename" method of importing. Members must use
the
file upload method. The "enter the path to the file" box does not appear on
the
import screen when the userid is not "admin". The program also checks the
userid
during the actual importing, so a hacker could not simply type the
querystring for a
file import into the location box.

Delphis have not validated this patch so no warranties implied or otherwise.

Rgds

Security Team
Delphis Consulting Plc

============================================================================
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally
privileged.Copyright in them is reserved by Delphis Consulting PLC
["Delphis"] and they must not be disclosed to, or used by, anyone other than
the addressee.If you have received this e-mail and any accompanying files in
error, you may not copy, publish or use them in any way and you should
delete them from your system and notify us immediately.E-mails are not
secure. Delphis does not accept responsibility for changes to e-mails that
occur after they have been sent. Any opinions expressed in this e-mail may
be personal to the author and may not necessarily reflect the opinions of
Delphis