× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

Recent bugtraq postings

The following are my personal opinions and in no way reflect the official 
position of my employer or anyone else...

There is a recent posting on bugtraq that is very misleading. It is the 
latest in a series of recent postings that are also very miss leading and 
often inaccurate.

The most recent bugtraq post includes:
> The IBM iSeries (AS/400) server provides a unified access scheme, called
> IFS, to all of the files and to all of the database tables in all of the
> database libraries.

It fails to mention that, like any file system, it only provides access to 
those authenticated users that are also authorized to those databases and 
libraries.

> iSeries servers without FTP security protection are vulnerable by
> default.
I'm not aware of anything called "FTP security." The way to protect any data 
on this system -- or any other system -- is through use of the native access 
control mechanism.

There is, in this bugtraq posting -- like some previous postings -- a kernel 
of accuracy. However, the sky is not falling. If you manage the authority on 
your iSeries objects so that only those who are supposed to access them are 
authorized, then this "canonicalization" attack is a moot point. 

In my opinion, the person making the recent appends to the bugtraq list 
appears to some motive other than providing useful information about 
security. I base this opinion on the following:

   - To my knowledge, s/he has never submitted an APAR regarding any of 
   the posting made to bugtraq either before or after making the posting. 
   - To my knowledge, s/he has never contacted anyone working for the 
   vendor that could help verify the claim, fix any problem if one existed, or 
   that could help verify his claims, or educate him on the difference between 
   say, a buffer overflow type of attack utilizing "root takeover" and the 
   system providing information to an authenticated AND authorized user that 
   happens to access the system via something other than a green screen. 
   - To my knowledge, s/he has never attempted to verify any alleged 
   exposure with any independent expert with knowledge of the particular system 
   for which s/he is claiming an exposure. 
   - Provided example scripts highlighting an exposure with a posting 
   which didn't work at all without modification 
   - Attributed an architected and documented behavior of the system 
   (users in a group are allowed to see other members of the same group) which 
   behaves the same way through all interfaces as an "exposure" of the LDAP 
   server. 
   - Claims that a "feature" of a client OS that allows any rogue remote 
   system -- of any type -- running a telnet server to use the telnet 
   connection to the client to perform operations on the client is somehow an 
   exposure inherent to the the OS on which the telnet server is running. 
   - Includes a link in all postings to bugtraq to a website where a book 
   that can help protect against these "exposures" can be conveniently 
   purchased. 
   - Periodically has annoying pop up ads for other products that must be 
   blocked or clicked to be avoided.
    
So while some of the postings have bits and pieces that may be accurate, 
they all contain glaring inaccuracies which tend to sensationalize and 
magnify the ramifications of any of the parts that are accurate.

I suspect most security experts would also agree that publicly announcing 
exposures without ever informing the vendor (before or after making the 
public announcement) is generally assumed to be grandstanding...

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.