Bugtraq mailing list archives

Webspeed security issue

From: georger () NLS NET (George)
Date: Thu, 3 Feb 2000 22:22:58 -0500


I reported this to Progress (maker of Webspeed) a month ago and they said
they would fix it but since then I've not seen any fixes released. I also
pondered whether or not to release this information because some rather
large web databases use Webspeed but I do believe in full disclosure as the
best security so here goes...

Webspeed is a website creation language used by some of the larger db based
websites on the net. Version 3 comes with a java GUI configuration program.
This configuration program has certain security setting options in it. One
of which doesn't actually do anything.

There is one option to turn off access to a utility called WSMadmin. It's in
the messenger section of the GUI config program. However checking or
unchecking this option doesn't change anything. In fact to turn this feature
off you have to hand edit the ubroker.properties file. Look for the
following entries:

AllowMsngrCmds=1

and each time you find this set it =0 in each of the sections. This will
disable the feature (you want to do this on the production server).

AllowMsngrCmds=0

Ok, now the exploit to show how serious an issue this is on the web. It's
just a misconfiguration really but it's caused by a bug in the java config
program (I tested the NT version but since the config program is java it may
also affect other platforms)

Exploit:

go to search engines and search for "wsisa.dll", I used google 3rd page or
further (first 3 pages are all junk)

Go to URL similar to
http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser

change the url in the browser to
http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin

(note capitals are important)

click on the link "End Sessions Logging and Display Sessions Info" (note you
may have to start logging first then stop it if they've never used the
logging feature)

When you pick the End Sessions Logging choice it displays the log, find a
statement in the log for the default service "Default Service =
nameofservice"

back up one page (hit your back button)

type nameofservice into the Verify WebSpeed Configuration box and click the
verify button.

If everything worked you now own their site. I won't explain how to use the
utility but anyone familiar with this should know exactly how dangerous this
is.

Geo.

Current thread:

Re: SyGate 3.11 Port 7323 / Remote Admin hole Brian Hampson (Jan 31)
- <Possible follow-ups>
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Russ (Feb 01)
  - war-ftpd 1.6x DoS Toshimi Makino (Jan 31)
    - Re: war-ftpd 1.6x DoS Jarle Aase (Feb 02)
  - [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Patrick Oonk (Feb 01)
    - Re: [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Erik Gjertsen (Feb 03)
  - SV: SyGate 3.11 Port 7323 / Remote Admin hole Sani Huttunen (Feb 01)
  - vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 02)
  - [Debian] New version of apcd released Aleph One (Feb 02)
  - Webspeed security issue George (Feb 03)