Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
New Contributor
random
Posts: 3
Registered: ‎04-07-2009
My Device: Not Specified
Accepted Solution

MDS-CS Administration (status) page

New to BES, just installed 4.1.6 in a Microsoft Exchange 2007 environment, the MDS Connection Service hosts a status page (http://bestestbox:8080 by default). This page has detailed status information, including version numbers and database connection strings, which constitutes an information disclosure vulnerability.

 

Does anyone know how to turn this off (or at least set some form of authentication on it) without disabling MDS CS functionality? I couldn't find anything in the Installation or Administration documents about disabling this page.

 

Thanks!

Guru III
knottyrope
Posts: 30,785
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: MDS-CS Administration (status) page

[ Edited ]

Knot sure about the authentication part.

Message Edited by knottyrope on 04-08-2009 03:29 PM

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


New Contributor
random
Posts: 3
Registered: ‎04-07-2009
My Device: Not Specified

Re: MDS-CS Administration (status) page

Thanks for the suggestion, however, I do not want to disable the MDS services completely as we plan to use them.

 

I just want to disable (or prevent "anyone" from accessing the status page, as all version numbers and database connection strings are visible. (This "Information Disclosure" is a violation of our security standard.)

Retired
HighRoad
Posts: 113
Registered: ‎04-02-2008
My Device: Bold 9000

Re: MDS-CS Administration (status) page

[ Edited ]

random wrote:

Thanks for the suggestion, however, I do not want to disable the MDS services completely as we plan to use them.

 

I just want to disable (or prevent "anyone" from accessing the status page, as all version numbers and database connection strings are visible. (This "Information Disclosure" is a violation of our security standard.)


 

Hey random,

 

There isn't really a way to "disable" the MDS connection service status page. You could change the listening port to a non default port and make sure the new port is not provided to anyone other that the BESadmin.

 

The BlackBerry MDS Connection Service status page does not load
http://www.blackberry.com/btsc/kb15490

 

Message Edited by HighRoad on 04-08-2009 10:38 AM
BlackBerry Certification
Having the Knowledge is One Thing. Demonstrating It is Another
http://www.blackberry.com/certification
New Contributor
random
Posts: 3
Registered: ‎04-07-2009
My Device: Not Specified

Re: MDS-CS Administration (status) page

Thanks for confirming that, that was what I was afraid of. I guess we'll just keep the port firewalled off.

 

From what I can tell, the only function of the web server listening on that port is the status page. Is that correct?

Retired
HighRoad
Posts: 113
Registered: ‎04-02-2008
My Device: Bold 9000

Re: MDS-CS Administration (status) page

correct
BlackBerry Certification
Having the Knowledge is One Thing. Demonstrating It is Another
http://www.blackberry.com/certification