× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2002

Re: BugTraq Exploit for OS/400

--
[ Picked text/plain from multipart/alternative ]
You are absolutely right.

What I was trying to say was - the greatest threat to the system comes
from inside the organisation. From people who already have a valid sign
on. It is they who have access to this information which they could then
use to hack other integral servers (eg. FTP, ODBC).

If a hacker from outside the organisation has successfully hacked a 5250
session, the system is compromised, and could be under greater threat.

Syd Nicholson
Castlehill Computer Services Ltd.


James Rich wrote:

>On Mon, 25 Feb 2002, Dr Syd Nicholson wrote:
>
>>Are we not all missing the point here??
>>
>>In order to use the use the System Request menu the user has signed on.
>>They have a user ID and password. If this is an unauthorised person the
>>system is already compromised. The system has already been hacked!!!
>>
>
>Not all vulnerabilities are remote or can be exploited without a valid
>login.  A vulnerability is a situation where some user can do something
>that that user is not allowed to do.  The fact that a certain
>vulnerability cannot be exploited remotely or requires a valid login
>to be exploited does not mean that it is not a security breach.
>
>>If the signed-on user is authorised to use the system, they probably
>>know the other User IDs anyway.
>>
>>If your system has been hacked - 5250 sessions are the least of the
>>problem - check out FTP and ODBC, these are MUCH more dangerous. If the
>>installed applications do not allow sufficient flexibility regarding
>>configuring the security of OS/400, consider using exit point security
>>programs to close back door access to the system.
>>
>
>That there are many methods to break into systems is not the point.  That
>this particular exploit requires a valid login is not the point.  That
>some program or service can be tricked into doing something it was not
>designed to do is the point.
>
>Who's clever sig is it that says, "there are two types of programs...
>those that do what they are supposed and those that don't.  I use the
>latter." ?
>
>James Rich
>james@eaerich.com
>
>_______________________________________________
>This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
>To post a message email: MIDRANGE-L@midrange.com
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
>or email: MIDRANGE-L-request@midrange.com
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/midrange-l.
>

--

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.