Webspeed security issue

From: George (georgerat_private)
Date: Thu Feb 03 2000 - 19:22:58 PST

Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-004)"

Previous message: Paul Schreiber: "Sprint PCS vulnerable to malicious tags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I reported this to Progress (maker of Webspeed) a month ago and they said
they would fix it but since then I've not seen any fixes released. I also
pondered whether or not to release this information because some rather
large web databases use Webspeed but I do believe in full disclosure as the
best security so here goes...

Webspeed is a website creation language used by some of the larger db based
websites on the net. Version 3 comes with a java GUI configuration program.
This configuration program has certain security setting options in it. One
of which doesn't actually do anything.

There is one option to turn off access to a utility called WSMadmin. It's in
the messenger section of the GUI config program. However checking or
unchecking this option doesn't change anything. In fact to turn this feature
off you have to hand edit the ubroker.properties file. Look for the
following entries:

AllowMsngrCmds=1

and each time you find this set it =0 in each of the sections. This will
disable the feature (you want to do this on the production server).

AllowMsngrCmds=0

Ok, now the exploit to show how serious an issue this is on the web. It's
just a misconfiguration really but it's caused by a bug in the java config
program (I tested the NT version but since the config program is java it may
also affect other platforms)

Exploit:

go to search engines and search for "wsisa.dll", I used google 3rd page or
further (first 3 pages are all junk)

Go to URL similar to
http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser

change the url in the browser to
http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin

(note capitals are important)

click on the link "End Sessions Logging and Display Sessions Info" (note you
may have to start logging first then stop it if they've never used the
logging feature)

When you pick the End Sessions Logging choice it displays the log, find a
statement in the log for the default service "Default Service =
nameofservice"

back up one page (hit your back button)

type nameofservice into the Verify WebSpeed Configuration box and click the
verify button.

If everything worked you now own their site. I won't explain how to use the
utility but anyone familiar with this should know exactly how dangerous this
is.

Geo.

Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-004)"
Previous message: Paul Schreiber: "Sprint PCS vulnerable to malicious tags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:30 PDT