|
boothm@ibm.net wrote: > I am assuming that too. > > But now, what about this scenario: A user has change authority to a file > and has programs on the Client Access menu where he/she can change > displayed fields like name & address from, oh, say, payroll. Does this > mean that now he/she could become an ODBC expert and go in that file and > change other fields that are not normally displayed to him/her? I am > thinking of payroll header files where often times pay rate, y-t-d, q and > q-t-d totals are kept. Or Accounts Receivable header files where credit > limits are kept. or... Yes. That is AS/400's dirty little security secret. This is not a new security hole, it's been around since the first PC was connected via APPC (probably to a S/38). But you used to have to possess a fair degree of technical aptitude to exploit the hole. But now, with MS creating all kinds of fancy wizard programs that allow just about any ODBC user to connect to the /400, we all have a serious security problem on our hands. jte -- John Earl PowerTech Toolworks johne@toolnet.com 253-858-7388 Riley Nichole Earl, Born 7/6/98 - 8lb 11oz. Already an AS/400 fan! -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
