× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



On Tue, 2005-04-26 at 13:23 -0600, James Rich wrote:
> On Tue, 26 Apr 2005, Rich Duzenbury wrote:
> 
> > Hypothetically, I know of a menu application that allows only authorized
> > users to update menu items.  That is to say, the F8 key will allow a
> > menu update, but F8 is not activated in the display file for
> > unauthorized users.
> >
> > The program code probably goes something like:
> >
> >    // If the user is allowed to change the menu, activate the F8 key
> >    if authorized_to_update;
> >        *in28 = '1';   // activate the f8 key
> >    endif;
> >
> >    exfmt the_menu;
> >
> >    select;
> >        *in08 wheneq '1';
> >             // process menu update
> >
> > Notice, the programmer of the menu app assumes that only an authorized
> > user can press F8, and never considered that a hacked 5250 client can
> > probably set on the F8 key at will.
> 
> It is true that a 5250 client could be modified to send back any key at 
> all.  It turns out to be quite simple.  The hard part is knowing that such 
> a key actually does something.
- Product documentation
- Seeing another user with the capability
- Read the screen "F8=Update"
- Source Code


>   Unless I'm misreading the 5250 spec, the 
> iSeries never sends the hidden fields to the screen in the first place. 
> So you wouldn't know that the possibility exists.
That's excellent news.  One less avenue for attack.
  

> 
> However, a network sniffer would allow you to know what the authorized 
> people see and do, provided a hub is used and not a switch.  Even if a 
> switch is used, it is trivial to run a sniffer on your own box and then 
> ask the admin to come over and run the program from your machine.  Of 
> course, if you can sniff you can do a lot more than just use it to hack a 
> 5250 client.
Of course, you can get someone else's password, and simply use it for
your misdeeds.


--
Regards,
Rich

Current Conditions in Des Moines, IA
Overcast
Temp 50F
Winds out of the North at 21, gusting to 29mph



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.