Thunderstone Support Forums

We recently got an email message from a customer who used the URL http://[company].com/programs/texis.exe?-dump and he got a web page with a dump of our environment. This is bad. How do I disable this so customers coming to our site can't see this.

Thanks
Shawn

There's a patch available to disable this debugging option. Contact Thunderstone Tech support for details.

The patch for this is now available to everyone from our public ftp server. Visit ftp://ftp.thunderstone.com/pub/vfpatch/ and read the README.txt file there.

References:
http://thunderstone.master.com/texis/ma ... 3c630dc010
http://www.securityfocus.com/archive/82/255543
http://www.securityfocus.com/archive/1/315411

I just used the patch as instructed for the hpux version in ftp://ftp.thunderstone.com/pub/vfpatch/ ... fpatch.txt

The output of the patch was:
vfpatch texis
7 patches completed (NOTE: expected 10)
Success. Back up original file and install patched file,
making sure ownership and permissions are the same.

I havn't changed anything to the monitor executable (what texis is a symlink to). How can I find out what the 3 patches that were expected but not completed are and should I be concerned?

Thanks,
Bob

The patch was created a while ago for older versions of the software. Newer versions have fewer things to patch. You can safely ignore the difference in counts.

I have just updated to "Webinator 4.2.8-Windows-w/plugin" and after running the vpatch.exe again to fix -dump issue I get an error message when I start a walk.
=====================================================
018 [webinatoradmin=webinatoradmin](dowalk) 914: Can't exec `./R:\Inetpub\Webinator4\texis.exe': The system cannot find the file specified. in the function TXpopenduplex Basic Walk Settings
=====================================================
I noticed it's looking in "./R:" instead of just "R:"
I've unitstalled and reinstalled twice. When I don't run the patch everything works OK.

Near line 114 of the dowalk script (in Texis\Scripts\Webinator in your install dir), change this code:

<rex "winnt" $version>
<if "" neq $ret>

to this code:

<rex "winnt" $version>
<$ret = "winnt">
<if "" neq $ret>

This will fix the issue. (Make sure you do not copy this mod to another non-Windows platform.)

The Readme for that patch says the following:

*** NOTE: Texis/Webinator versions 4.03 or later (April 3, 2003) do not ***
*** need to be patched. They incorporate the patch behavior as shipped. ***


I'm running:

Texis Web Script (Vortex) Copyright (c) 1996-2005 Thunderstone - EPI, Inc.
Webinator Professional Version 5.01.1109610969 20050228 (i686-intel-winnt-32-32)

And people can see the -dump and -version info from one of our web servers.

Not from the other two servers, however.

Can I just copy the texis.exe file from one box to another if they are identical boxes?

If not, what's the current fix for this?

In your INSTALLDIR find texis.cnf and edit it with notepad. Look for CGI Debug and set it to 0.

CGI Debug = 0

It ships that way but someone must have turned it on after installation for some kind of testing.