COMMAND

    webpsvr

SYSTEMS AFFECTED

    TalentSoft Web+

PROBLEM

    Following  is  based  on  Security  Advisory  by  Sword  &  Shield
    Enterprise Security.  The  TalentSoft Web+ server allows  users to
    read arbitrary data  files on the  Web server running  the webpsvr
    daemon.  By  entering a crafted  URL any user  with a browser  can
    retrieve files that the webpsvr daemon itself has access to.

    The webpsvr daemon is the driving process for the TalentSoft, Inc.
    Web  based  e-commerce  software.   The  Web+  server runs under a
    standard  web  server,  such  as  Apache.   Users run a CGI script
    called webplus (webplus.exe on  Windows), which communicates  with
    webpsvr to serve  up the web  pages for the  electronic store that
    is implemented by  Web+.  In  a typical installation  of Web+, the
    following URL will bring up the Web+ storefront:

        http://yourhost.com/cgi-bin/webplus?script=/script_dir/store.wml

    The webpsvr daemon  is handed the  script variable, and  serves up
    the generated page.  Through use  of the string ".." a URL  can be
    crafted that will allow any browser to see arbitrary files on  the
    web server.  For example, the URL:

        http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd

    will display the contents of  the file /etc/passwd if read  access
    is available to the webpsvr  daemon.  If webpsvr is  running under
    the root  userid, this  essentially means  that *any*  file on the
    system can be viewed by any user (local or remote).  It should  be
    noted that the default installation of Web+ will have webpsvr  run
    as user "nobody", and not root, so the scope of the  vulnerability
    is reduced to group owned and world readable files.

    The impact  of this  bug can  be quite  severe.   Since this is an
    e-commerce package it  will likely be  used on web  sites that are
    accessible to any IP address  world wide, and this bug  will allow
    users to  gather vital  information about  the system  running the
    Web+ software that could be used in exploits against the system.

    This bug is known  to exist in Web+  4.X as of March  1999, and is
    believed, though  unverified, to  exist in  all previous versions.
    The vulnerability was tested and  confirmed on a RedHat 6.1  Linux
    system.  The latest webpsvr  binary that is known to  contain this
    bug is Build 506.   Build information can be obtained  by entering
    the URL:

        http://yourhost.com/cgi-bin/webplus?about

    The bug discovery,  test, demonstration, vendor  coordination, and
    advisory  generation  are  the  results  of  SSES,  Inc.  security
    engineers Dennis Edmonds, Karl Allen, and Matt Smith.

SOLUTION

    This problem has  been corrected in  builds of webplus  after 512.
    For those  who need  the upgraded  binary, you  can either contact
    support@talentsoft.com  for  a  link  to  the patch, or obtain the
    patch from the web site (www.talentsoft.com).