|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: WebSpeed Security Issue
From: Roy V. Ellis (ellis
PROGRESS.COM)Date: Thu Feb 10 2000 - 14:53:09 CST
- Next message: MJE: "ASP Security Hole (fwd)"
- Previous message: Steve: "Remote access vulnerability in all MySQL server versions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This email is being sent to clarify a specific WebSpeed security issue
raised recently in various security-email-groups and security-web-sites.
The WebSpeed security issue surrounds the use of a development tool,
WSMAdmin (WebSpeed Messenger Administration tool). This tool is meant for
use during development of WebSpeed applications and access should be
disabled when the application goes to production. Leaving access to the
tool enabled on a production web site allows web users to get information
about your configuration and hardware.
To disable the WSMAdmin tool you need to modify settings in WebSpeed
specific files. For the instructions specific to your version of WebSpeed
please see our Knowledge Database on the Progress Home Site
http://www.progress.com . Select TECH SUPPORT from the top of the page and
follow the links to Knowledge Base. Select Query-By-Word and use the
keywords "disable and WSMAdmin". There will be 2 solutions. One for
version 2.x and one for version 3.x of WebSpeed.
There was a bug in our Progress Explorer tool (a GUI interface for
modifying configuration files for WebSpeed) in disabling the WSMAdmin
access. The Progress Explorer tool was not disabling the WSMAdmin access
correctly. The work around is to manually edit the files using the
Knowledge base entries described above. This bug has been fixed in our
most recent version, WebSpeed 3.1A.
SUMMARY: Always disable access to WSMAdmin on a production web site! Use
the Knowledge Base for the correct steps to disable the WSMAdmin. Be sure
to test access to the site once disabled. If you are unable to disable
access to the WSMAdmin, contact Technical Support at Progress.
Roy
/--------------------------------------------------------------------
/ Roy Ellis Progress Software
/ ellisprogress.com (603) 578-6724
/--------------------------------------------------------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: MJE: "ASP Security Hole (fwd)"
- Previous message: Steve: "Remote access vulnerability in all MySQL server versions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]