Flaw in about.r OS and Progress version disclosure Apr 29 2007 06:12PM
suresync gmail com
about.r OS and Progress version disclosure.

Because of poor security in webutil/about.r it is possible to view the OS and the Progress version of a remote webspeed server.

First you have to find the messenger execution url. For example:
http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1
http://yourmachine.com/scripts/wsisa.dll/WService=wsbroker1

just add the following to the url:
/webutil/about.r
your url will look like this:
http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1/webutil/abou
t.r

Then you get a response displaying the OS version and the Progress version. This is usefull info for potential hackers.

This workes for all Progress releases.

http://www.ishare.nl

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus