COMMAND

    Webspeed

SYSTEMS AFFECTED

    Those using Webspeed

PROBLEM

    George  R.  found  following.   Webspeed  is  a  website  creation
    language used by some of the larger db based websites on the  net.
    Version  3  comes  with  a  java  GUI configuration program.  This
    configuration program has certain security setting options in  it.
    One of which doesn't actually do anything.

    There  is  one  option  to  turn  off  access  to a utility called
    WSMadmin.   It's  in  the  messenger  section  of  the  GUI config
    program.   However  checking  or  unchecking  this  option doesn't
    change anything.   In fact to  turn this feature  off you have  to
    hand  edit  the  ubroker.properties  file.  Look for the following
    entries:

        AllowMsngrCmds=1

    and each time  you find this  set it =0  in each of  the sections.
    This  will  disable  the  feature  (you  want  to  do  this on the
    production server).

        AllowMsngrCmds=0

    Ok, now the exploit  to show how serious  an issue this is  on the
    web.   It's just  a misconfiguration  really but  it's caused by a
    bug in the  java config program  (tested the NT  version but since
    the config program is java it may also affect other platforms).

    As for exploit, go to  search engines and search for  "wsisa.dll".
    George used  google 3rd  page or  further (first  3 pages  are all
    junk).  Go to URL similar to

         http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm

    with your browser.  Change the url in the browser to

        http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin

    (note capitals  are important)   Click on  the link  "End Sessions
    Logging and  Display Sessions  Info" (note  you may  have to start
    logging  first  then  stop  it  if  they've never used the logging
    feature).

    When you pick the End Sessions Logging choice it displays the log,
    find  a  statement  in  the  log  for the default service "Default
    Service = nameofservice".

    Back up one page (hit your back button)

    Type nameofservice into the Verify WebSpeed Configuration box  and
    click the verify button.

    If everything worked you now own their site. We won't explain  how
    to  use  the  utility  but  anyone  familiar with this should know
    exactly how dangerous this is.

SOLUTION

    Nothing yet.