• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Focus On: Vista
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns

• info
• discussion
• exploit
• solution
• references

Progress WebSpeed Administration Utility Configuration Vulnerability

Solution:
Progress has released patches which correct this issue and may be downloaded at the location below:

http://www.progress.com/patches/patchlst/availpatche.html

Progress also recommends disabling the WSISA Messenger Administration Utility after the Webspeed applications have gone into production. The following instructions have been taken from the Progress knowledge base:

For security reasons, many web administrators do not allow users to use the WSMAdmin command to access webspeed configuration information. In order to disable this, you have to uncheck the box next to 'Internal Administration Command - WSMAdmin' for each Webspeed Messenger.

If after doing the above, you find that you can still access the WSMAdmin utility from a web browser, you need to take the following steps:

1. Stop the webspeed brokers
2. Close the Progress Explorer
3. Open the ubroker.properties file in notepad (or any other editor)

Find the following entry under[Webspeed.Messengers]
AllowMsngrCmds=1
Modify this line to: AllowMsngrCmds=0

4. Stop the Progress Admin Service - (Control Panel->Services)
5. Re-start the Progress Admin Service - (Control Panel->Services)
6. Connect to the Progress Admin Service from the Progress Explorer
7. Restart your web brokers

Messenger Internal Commands should now be disabled and you should not be able to access WSMAdmin from a web browser.