× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MI400
  3. July 2000

RE: New security holes? Was: Re: FW: paradox ?

  • Subject: RE: New security holes? Was: Re: FW: paradox ?
  • From: "Steve Glanstein" <mic@xxxxxxxxx>
  • Date: Wed, 19 Jul 2000 22:19:47 -1000
  • Importance: Normal
 

Once again folks....If you are running at level 30, there are probably
hundreds (maybe thousands?) of people who can get passwords...at level 40,
you're down to just a few. There is a reason that IBM ships AS/400s at level
40...

At level 50, there are even less...but it is still possible...

Steve Glanstein
mic@aloha.com

> -----Original Message-----
> From: owner-mi400@midrange.com [mailto:owner-mi400@midrange.com]On
> Behalf Of Anton Gombkoto
> Sent: Wednesday, July 19, 2000 7:41 PM
> To: MI400@midrange.com
> Subject: Re: New security holes? Was: Re: FW: paradox ?
>
>
> I installed the PTF for V4R2.
>
> The PTF seems to change DMPSYSOBJ. Where you saw before the
> password, there
> are only blanks left.
>
> But it changes obviously nothing on the fact that they remember the input
> fields for a reason i don't understand and so the program still reveals
> passwords, even with the PTF installed.
>
>
> At 16:09 14.07.00 -0500, you wrote:
> >Gene,
> >
> >does this mean that IBM's recent PTF to close the signon-password
> >hole really doesn't matter? Is this a new hole?
> >
> >----- Original Message -----
> >From: <Gene_Gaunt/ReviewWorks@reviewworks.com>
> >To: <MI400@midrange.com>
> >Sent: Friday, July 14, 2000 3:03 PM
> >Subject: Re: FW: paradox ?
> >
> >
> > > Modules have states.  UPDPGM and UPDSRVPGM fail with CPD5CF7
> if user state
> > > tries to bind with system state.  On level 30 a user state
> can reference
> > > the system domain, like the following RPGLE that still displays a
> > > workstation's  first "Read MDT Fields" input buffer.  The external
> > > parameter is a signed-on workstation name in the same
> subsystem that runs
> > > this program.
> > >
> > >      H dftactgrp( *no ) bnddir( 'QC2LE' )
> > >
> > >      D Pco             PR              *   extproc( '_PCOPTR' )
> > >
> > >      D Setsppfp        PR              *   extproc( 'setsppfp' )
> > >      D   Object                      16A   value
> > >
> > >      D Setsppo         PR              *   extproc( 'setsppo' )
> > >      D   Pointer                       *   value
> > >      D   Offset                      10U 0 value
> > >
> > >      D Work            DS                  based( Work@ )
> > >      D   Forward                     10U 0 overlay( Work :   1 )
> > >      D   Buffer@                       *   overlay( Work :  65 )
> > >      D   Request@                    16A   overlay( Work :  97 )
> > >      D   ODP@                          *   overlay( Work : 129 )
> > >      D   Table@                        *   overlay( Work : 225 )
> > >
> > >      C     *entry        plist
> > >      C                   parm                    Display          10
> > >
> > >      C                   eval      *INLR = *on
> > >      C                   if        %Parms >= 1
> > >      C                   eval      Work@ = Pco
> > >      C                   eval      Work@ = Table@
> > >      C                   eval      Work@ = Setsppo( Work@ : 128 )
> > >      C                   dou       Forward = 0
> > >      C                   if        Display = %subst( Work : 7 : 10 )
> > >      C                   if        ODP@ <> *null
> > >      C                   eval      Work@ = ODP@
> > >      C                   eval      Work@ = Setsppfp( Request@ )
> > >      C                   eval      Work@ = Buffer@
> > >      C                   eval      UPass = %subst( Work : 7 : 26 )
> > >      C                   dsply                   UPass            26
> > >      C                   endif
> > >      C                   leave
> > >      C                   endif
> > >      C                   eval      Work@ = Setsppo( Work@ : Forward )
> > >      C                   enddo
> > >      C                   endif
> > >
> > >
> > > +---
> > > | This is the MI Programmers Mailing List!
> > > | To submit a new message, send your mail to MI400@midrange.com.
> > > | To subscribe to this list send email to MI400-SUB@midrange.com.
> > > | To unsubscribe from this list send email to
> MI400-UNSUB@midrange.com.
> > > | Questions should be directed to the list owner/operator:
> dr2@cssas400.com
> > > +---
> > >
> >
> >+---
> >| This is the MI Programmers Mailing List!
> >| To submit a new message, send your mail to MI400@midrange.com.
> >| To subscribe to this list send email to MI400-SUB@midrange.com.
> >| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
> >| Questions should be directed to the list owner/operator:
> dr2@cssas400.com
> >+---
>
> +---
> | This is the MI Programmers Mailing List!
> | To submit a new message, send your mail to MI400@midrange.com.
> | To subscribe to this list send email to MI400-SUB@midrange.com.
> | To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> dr2@cssas400.com
> +---
>

+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.