• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Focus On: Vista
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns

• info
• discussion
• exploit
• solution
• references

Progress WebSpeed Administration Utility Configuration Vulnerability

In order to access the WebSpeed WSISA Messenger Administration Utility, append "WService=anything?WSMadmin" (case sensitive) after wsisa.dll/ in the URL.

eg.:
http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin

Once the Messenger Administration Utility is accessed, configuration utilities will be displayed and can be freely accessed. Furthermore, you can click on the link "End Sessions Logging and Display Sessions Info ." This will bring you to the messenger session log file. From here, search for the statement "Default Service = 'service' ". Hit the browsers BACK button and enter the 'service' string into one of the configuration boxes (depending on how the administrator has configured the Messenger Administration Utility) in order to view other web server statistics and possibly disconnect running services.