[14521] in bugtraq
webplus security hole
daemon@ATHENA.MIT.EDU (TalentSoft.Support)
Fri Apr 14 12:32:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <D0A6DBE34B0ED211B34000A0C9938C7E34ABD9@exchange.talentsoft.com>
Date: Thu, 13 Apr 2000 15:31:18 -0500
Reply-To: "TalentSoft.Support" <TalentSoft.Support@EXCHANGE.TALENTSOFT.COM>
From: "TalentSoft.Support" <TalentSoft.Support@EXCHANGE.TALENTSOFT.COM>
X-To: "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This email is sent to advise all users of webplus having a build prior to
512 that there has been a reported security problem. In the url, if running
webplus as the user 'root', it is possible to use the '..' command to
traverse directories on the server. This technique can be used to view
proprietary files on the web server. This problem has been corrected in
builds of webplus after 512. For those who need the upgraded binary, you can
either contact support@talentsoft.com for a link to the patch, or obtain the
patch from the web site (www.talentsoft.com). The security advisory section
of the web site is currently under construction, but should be completed
very soon.
Thank You
Technical Support
talentsoft
