Reported September 27, 2000 by Delphis Consulting

VERSIONS AFFECTED
  • Talentsoft Webplus 4.6

DESCRIPTION

Multiple vulnerabilities have been found in Talentsoft Webplus 4.6.

DEMONSTRATION

The first vulnerability gives an attacker the ability to discover the physical path of web content.  This can be done by executing a CGI application and passing a single "."  for example;

http://127.0.0.1/cgi-bin/webplus.exe?script=.

The above example will result in an error message that contains the physical path of the web content.

The second vulnerability allows an attacker to gain the true IP address of the web server if NAT is being used.  An attacker has to simply enter the following URL;

http://127.0.0.1/cgi-bin/webplus.exe?about

The last vulnerability found allows a malicious user to view the source of WML files that are located on NTFS partitions.  This can be accomplished by appending the data stream you wish to view on to the WML file.  For example;

http://127.0.0.1/cgi-bin/webplus.exe?script=test.wml::$DATA

This is a rather dangerous vulnerability as other scripts such as ASP files could be read and possible sensitive information could be leaked.

VENDOR RESPONSE

According to Delphis Consulting, Talentsoft was been informed and has fixed the ::$DATA issue in their new build, 542.  The status of the other issues are unknown at this time.

CREDIT
Discovered by Delphis Consulting