Hi all,

There are a lot of Web Connection applications on the Web that have open Administration Pages accessible to anybody who can find these sites. As you might imagine that's very dangerous as the Admin page allows access to running processes as well the Web Connection server instances. It's vitally important that the Admin page is locked down when you take an application live.

Even though Web Connection provides plenty of warning messages and the configuration tools automatically configure server security properly, there are some of our users that ignore the warnings or willfully bypass the recommended security settings.

Updates to Web Connection and Updated Admin Pages

I've made a few changes in Web Connection to make it much more difficult to make the admin page open by accident with an update to in Web Connection 6.19. I've also written up a detailed blog post that describes the problem, the current, the update and how to fix this either by upgrading or manually fixing the Administration page.

Please check out the blog post that goes into detail - if for nothing else to remind you to look at your application security and make sure you are secure:

• Locking down the West Wind Web Connection Administration Page

You can also download the Admin page fixes from this zip file:

• Download Web Connection Admin Page Updates

I'd also like to point Web Connection users and administrators at the Security Lockdown and IIS Configuration topics in the Web Connection Documentation:

• Securing your Web Connection Application
• IIS Configuration for Web Connection

If you have a Web Connection application live on the Web and you're not sure about the status of your security, please take the time to review these three links as they are very important to the security of your application.

+++ Rick ---

Admin page updates are for wc 6.x only, or also 5.x?

The files are for Web Connection 6.x and the old ASP page. There's nothing for the older Admin links (wc.wc?__maintain links) which were used prior to 6.10 I believe. If you're on any 6.x version I'd highly recommend updating to 6.19 - those updates are pretty much seamless. For 5.x you'll need to use the manual update of the Admin.aspx page.

+++ Rick ---

Thanks for highlighting this issue. Admin page security has been an ongoing issue in our case as we distribute a vertical app which runs on scores of different customer servers that are not under our control. So we rely on their staff to apply security and it's amazing how many customers just ignore our warnings and leave things open. (I fear that some of the sites Ken Pyle noted may well have been our clients.)

Having the Admin page more securely locked down by default will be helpful for future new installations, but we still need to deal with existing customers. The problem is that once our app is installed, our staff generally does not have access to the customer server, so we have no way of making security settings on pages or folders. What we can do, if we're made aware that a client has failed to secure our app, is to edit their config file to set AdminAccount=Any to activate the second level of authentication. It seems to me that is actually more critical since users could still type in the wc.wc?wwmaint commands even if the aspx page is secured.

Now with the enhanced security by default we have another option. If we can't get them to apply security to the page, we may at least be able to get them to upgrade their copy of admin.aspx so the links won't show.

--stein

Yeah I'm hoping this push will cause a few more people to review their security settings. I've known about this for years of course, but really always assumed that the warning would be enough. Ken's prodding made it clear that it definitely was not enough as there literally hundreds of apps out there that have open admin pages.

Hopefully this push will reign in some of those. Between email notifications, the blog post, Twitter and messages here I hope we can at least reach a few extra people that otherwise would not be aware.

+++ Rick ---

Hi, Rick!

How's it going? Quick question on this: Is there anything new in wc.dll itself in release 6.19 relative to this exploit, or are you just pushing out updates to the ASP/X pages? I'm asking because we typically don't use those pages at all, preferring an old style hand-edited admin.html page instead.

Just trying to assess whether the DLL or anything build into our VFP EXE's need to be addressed.

Thanks and regards.

-- Randy

There's nothing specific in the DLLs. The DLL requests already require authentication by default via the AdminAccount unless explicitly turned off and I think they always have past 4.x. So as long as AdminAccount has ANY or a specific account in it there's no open access.

+++ Rick ---