Login

Consultor Eletrônico



Kbase P123694: WebSpeed agents stay busy when calling predefined procedures with no parameter
Autor   Progress Software Corporation - Progress
Acesso   Público
Publicação   10/29/2008
Status: Verified

SYMPTOM(s):

WebSpeed agents stay busy when calling predefined procedures with no parameter

Sample URLs
http://host/scripts/cgiip.exe/WService=wsbroker1/_edit.r
http://host/scripts/cgiip.exe/WService=wsbroker1/_admin.r
http://host/scripts/cgiip.exe/WService=wsbroker1/_dict.r
http://host/scripts/cgiip.exe/WService=wsbroker1/_comp.r
http://host/scripts/cgiip.exe/WService=wsbroker1/dict.r
http://host/scripts/cgiip.exe/WService=wsbroker1/_help.r
http://host/scripts/cgiip.exe/WService=wsbroker1/_resconv.r


FACT(s) (Environment):

Progress 9.x
OpenEdge 10.x
WebSpeed 3.x
Using messenger URL ending with predefined procedures with no additional parameters in the query string
Remote denial of service attack is possible against WebSpeed when such crafted URL is used
Issue occurs also when deploying in "Production" mode
Calling WebSpeed's _admin.r, _edit.r, _comp.r, _dict.r, _help.r, dict.r, _resconv.r

CAUSE:

Bug# OE00150624

CAUSE:

Bug# OE00150628

CAUSE:

Bug# OE00150629

CAUSE:

Bug# OE00150630

CAUSE:

Bug# OE00150631

FIX:

Upgrade to Service Pack OE10.1B02 or higher

If upgrade is NOT possible, use the following workarounds:

There three workarounds to the situation depending on your deployment configuration.
1. If WebSpeed production broker does not share the same Progress installation as the character development environment, rename the offending files in the directories $DLC/src, $DLC/tty and $DLC/gui.
2. If the production brokers shares the same Progress installation as the character development environment, a solution is to create a directory with programs of the same name (_edit.p etc). These programs would contain the following line:
RETURN ERROR.
Compile these, and add this directory to the start of the PROPATH for the Production broker.
e.g.
- create $DLC/security and $DLC/security/tty and $DLC/security/gui directory structures
- create programs _edit.p etc in $DLC/security, containing the following line:
RETURN ERROR.
- compile the program using the character client
-copy the compiled _edit.r etc to $DLC/security/tty and $DLC/security/gui
- add directory $DLC/security to the start of the production broker's PROPATH in ubroker.properties.
3. A non-WebSpeed solution, using Apache, is to check the incoming URL for the offending programs, then redirect it to a 404 page or some other page.