Kbase P123762: Recently Discovered WebSpeed Security Issues
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
27/12/2007 |
|
Status: Verified
GOAL:
Recently Discovered WebSpeed Security Issues
GOAL:
How to handle recent exploits in WebSpeed?
FACT(s) (Environment):
WebSpeed Versions
FIX:
Dear Valued Partner and Customers,
Progress Software has recently become aware of several security issues within the WebSpeed product line.
The items below reference the recently discovered security issues. In addition, it highlights the solution that describes the problem in full along with a workaround and/or fix to the issue.
1. WebSpeed's _cpyfile.p allows arbitrary file overwrites. By using a specially crafted URL, a remote user can create or overwrite files on a WebSpeed system. This is fixed in OpenEdge 10.0A. Refer to Solution P13684, "WebSpeed's _cpyfile.p allows arbitrary file overwrites"
2. WebSpeed's about.r exposes the OS version and Progress version. A remote user can access WebSpeed version and operating system version information. This information can then be used for other exploits. Refer to Solution P123670, "WebSpeed's about.r exposes the OS version and Progress version"
3. Remote denial of service attack is possible against WebSpeed. By using a specially crafted URL, a remote user can cause all WebSpeed agents to become BUSY, so that no more requests can be handled. Refer to Solution P123694, "WebSpeed agents stay busy when calling predefined procedures with no parameter"
These issues is corrected in OpenEdge 10.1B02 and higher, please see solutions for current workarounds.
If you have any questions and/or issues, please contact Progress Technical Support in your region.