lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070429181201.6468.qmail@securityfocus.com> Date: 29 Apr 2007 18:12:01 -0000 From: suresync@...il.com To: bugtraq@...urityfocus.com Subject: Flaw in about.r OS and Progress version disclosure about.r OS and Progress version disclosure. Because of poor security in webutil/about.r it is possible to view the OS and the Progress version of a remote webspeed server. First you have to find the messenger execution url. For example: http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1 http://yourmachine.com/scripts/wsisa.dll/WService=wsbroker1 just add the following to the url: /webutil/about.r your url will look like this: http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1/webutil/about.r Then you get a response displaying the OS version and the Progress version. This is usefull info for potential hackers. This workes for all Progress releases. http://www.ishare.nl