|
On Sep 24, 2018, at 9:06 AM, Rob Berendt <rob@xxxxxxxxx> wrote:
I want to hunt down and find two files in the IFS. IDK if that IFS is a
symbolic link into /qsys.lib or not, I just want to find these. These
files are rguest.exe and wguest.exe. We're getting dinged on an audit
because of the existence of these files. I'm beginning to question
whether the audit is testing for the actual files, or the function they
perform and then "assume" it's one of those two files. After all, .exe
files aren't really an IBM i kind of thing.
My first foray was querying the output of RTVDIRINF. No luck.
Next I tried qsHell.
find / -name "*guest.*"find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H1.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H2.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H3.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H4.DTAQ. Resource busy.
find: 001-0023 Error found opening file /QSYS.LIB/QQFENDSVR.PGM.
Resource busy.
$
Which makes me wonder if this stupid find command is searching contents,
or if it can't figure out if these object types are a directory or not.
Original problem:
Webcom CGI Guestbook File Disclosure Vulnerability
CVE-1999-0467
THREAT:
The programs 'wguest.exe' and 'rguest.exe' are present on the server.
IMPACT:
Unauthorized users can read arbitrary files.
SOLUTION:
Install and use another Guestbook program.
EXPLOITABILITY:
The Exploit-DB
Reference: CVE-1999-0467
Description: WebCom datakommunikation Guestbook 0.1 - 'rguest.exe'
Arbitrary File Access - The Exploit-DB Ref : 20447
Link: http://www.exploit-db.com/exploits/20447
Reference: CVE-1999-0467
Description: WebCom datakommunikation Guestbook
One big recent change was the addition of some Zend for a bolt on we're
evaluating.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.