Kbase P172726: How to secure OS command option from Workshop
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
9/1/2010 |
|
Status: Unverified
GOAL:
How to secure OS command option from Workshop
GOAL:
How to prevent developers from executing OS commands from WebSpeed Workshop
FACT(s) (Environment):
All Supported Operating Systems
Progress 9.x
OpenEdge 10.x
WebSpeed
FIX:
In WebSpeed Workshop, access to OS-COMMAND is available from the interface by accessing program oscommand.r in tty/webtools. Renaming or removing this program or change it with something else to prevent this page being used. However, since WebSpeed Workshop allows developers to write ABL code, users could still write a program that performs OS-COMMAND and does basically the same.
Alternativelly,OS-COMMAND uses the SHELL environment variable to determine the operating system shell to execute a command.
Set SHELL environment variable for the configuration of the WebSpeed broker to point to an invalid program or a program of your choice if you want log the attempt.