============================================================================
          Delphis Consulting Plc
============================================================================

         Security Team Advisories
             [19/09/2000]

          securityteam@delphisplc.com
      [http://www.delphisplc.com/thinking/whitepapers/]
  
============================================================================
Adv     :       DST2K0032
Title   :       Multiple Issues with Talentsoft WebPlus Application Server
Author  :       DCIST (securityteam@delphisplc.com)
O/S     :       Microsoft Windows Nt 2000 Professional (SP1) / Linux
Product :         Web+ Server Version: 4.6 Client-Server NT
(webpsvc.exe Build 539)
      Web+ Monitor Version: 4.6 Client-Server NT (Build
14)
      Web+ Client Version: 4.6 NT (Build 25)
Date    :       19/09/2000

I.    Description

II.   Solution

III.  Disclaimer


============================================================================

I. Description
============================================================================

Vendor URL: http://www.talentsoft.com

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerability in Webplus under Windows NT.

Severity: low - Path revealing

It is possible to cause Webplus to reveal the physical path which it is
installed within. This is done by executing the CGI application and passing
a single .

example: http://127.0.0.1/cgi-bin/webplus.exe?script=.

This will respond with an error message detailing the physical path.

Severity: low - Internal IP address leakage

If your server is being NAT'd (i.e. located behind a firewall/load balancer)
it is possible to retrieve your internal IP address by passing the about
option to the cgi application.

example: http://127.0.0.1/cgi-bin/webplus.exe?about

Severity: medium - Source code viewing on NTFS partitions

It is possible to cause Webplus to reveal the source code of the WML files
which are located on NTFS partitions. This is done by appending the data
stream
you wish on to the WML file.

example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.wml::$DATA

The danger here as the Delphis team have demonstrated is being able to
access
DSN information (datasource, table names, usernames & passwords). It is also
possible if the Script root has been set to the webroot to read the source
code of other script files (i.e. ASP).

example: http://127.0.0.1/cgi-bin/webplus.exe?script=test.asp::$DATA

II. Solution
============================================================================

Vendor Status: Informed

Delphis are happy to announce that Talentsoft has a patch for the above
::$DATA issue. The following was information recieved from the vendor.

You require build 542 (to fully disable the parsing of ::$DATA requires
using a newly rebuilt webplus.dll in addition to the use of build 542 of
webpsvc.exe web+ server)).

If you have any issues obtaining this patch please contact Talentsoft
support.

III. Disclaimer
============================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally
privileged.Copyright in them is reserved by Delphis Consulting PLC
["Delphis"] and they must not be disclosed to, or used by, anyone other than
the addressee.If you have received this e-mail and any accompanying files in
error, you may not copy, publish or use them in any way and you should
delete them from your system and notify us immediately.E-mails are not
secure.  Delphis does not accept responsibility for changes to e-mails that
occur after they have been sent.  Any opinions expressed in this e-mail may
be personal to the author and may not necessarily reflect the opinions of
Delphis