Kbase P123670: WebSpeed's about.r exposes the OS version and Progress version
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
23/02/2010 |
|
Status: Verified
SYMPTOM(s):
WebSpeed's about.r exposes the OS version and Progress version
WebSpeed discloses information about the server operating system
Sample URL: http://host/scripts/cgiip.exe/WService=wsbroker1/webutil/about.r
FACT(s) (Environment):
Progress 9.x
OpenEdge 10.x
WebSpeed 3.x
CAUSE:
Bug# OE00150081
FIX:
There are three workarounds to the situation depending on your deployment configuration.
1. If WebSpeed production broker does not share the same Progress installation as the development broker, rename the about.r in $DLC/tty/webutil, and $DLC/gui/webutil directories.
2. If the production brokers share the same Progress installation as a development broker, a solution is to create a directory with program of the same name about.p. The program would contain the following line:
RETURN ERROR.
Compile these, and drop the compiled .r into newly created directories
For example,
- create $DLC/security, then directory structures $DLC/security/webutil, $DLC/security/tty/webutil and $DLC/security/gui/webutil
- create program about.p in $DLC/security/webutil, containing the following line:
RETURN ERROR.
- compile the program using the character client
- copy the compiled about.r to newly created directories $DLC/security/tty/webutil, and $DLC/security/gui/webutil
- add $DLC/security to the start of the production broker's PROPATH in ubroker.properties.
3. A non-WebSpeed solution, using Apache, is to check the incoming URL for the offending programs, then redirect it to a 404 page or some other page.