|
Frankly I think it was a good service to publish this so that I may fix my code. And, yes, users who are supposed to ftp files from/to our 400 should have ftp access. It isn't that hard to write a program to lock this down. But with "heads up" notifications from people like this, you can fix it before someone exploits your mistake. Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com "Ingvaldson, Scott" <SIngvaldson@xxxxxxxxxxxx> Sent by: midrange-l-bounces+rob=dekko.com@xxxxxxxxxxxx 05/16/2005 04:21 PM Please respond to Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> To <midrange-l@xxxxxxxxxxxx> cc Subject RE: iSeries FTP security I'll certainly agree that many, if not most, shops do not pay enough attention to security. What I disagree with is that this particular "exploit" is as serious as is implied, based on the requirement of a valid, authenticated user to perform it. That's like saying that leaving your QSECOFR password set to default and having a direct internet connection is a "serious vulnerability." Mr. Carmel, who's bio states the he wrote his first BASIC program in 1978 and received his first offer to commit a cyber crime in 1994 (but apparently hasn't done much since then,) seems merely to be trying to sell his $39 Ebook by exploiting misunderstanding of iSeries security. He admitted here last month http://archive.midrange.com/midrange-l/200504/msg01339.html that he does "not even have an iSeries server." Most of the "exploits" he exposes follow this same vein, for instance one that exposes weaknesses in "terminal emulation clients," again by "valid, authenticated users." Mr. Carmel's only valid argument seems to be that some services should not be turned on by default. I suspect that in most of our shops that any "valid, authenticated user" can log onto the system any way they see fit and get access to any "of the files that he has authority to access, based on the server assigned object authority." Is this really an exploit? Certainly, Rob, a sufficiently knowledgeable and talented user could use FTP to go after /qsys.lib/mylib.lib/myfile.file/mymbr.mbr/../../payroll.file/payroll.mbr and download the payroll file, but should this user have FTP access to this system at all? Is this really an "exploit" or, to coin a phrase "Working As Designed?" How difficult is it to write an Exit Point Program to restrict all FTP access to authorized FTP users only? Regards, Scott Ingvaldson iSeries System Administrator GuideOne Insurance Group -----Original Message----- date: Mon, 16 May 2005 14:28:04 -0500 from: rob@xxxxxxxxx subject: RE: iSeries FTP security Scott, I respectfully disagree. A bulk of 400 shops do not granualize their security enough. For example, they use some sort of group profile to allow users to get into the 'accounting' data library. Once in there they hope that 5250 menu security works. Now comes along a ftp project request. One alternative might have been to change all their 5250 programs to USEADPAUT(*YES) and have some early program owned in the call stack to be owned appropriately and then also allow read access to individual users of the one file to download. Another alternative is to leave the bulk of the security model the same, but use an ftp exit point program to only allow from one member in one file: /qsys.lib/mylib.lib/myfile.file/mymbr.mbr But by canonization you could do /qsys.lib/mylib.lib/myfile.file/mymbr.mbr/../../payroll.file/payroll.mbr and get to what you need. Because, if the exit point followed my poor technique of just checking the left to match with what they are authorized to - they're toast. Rob Berendt -- Group Dekko Services, LLC -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.