× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2001

RE: Mochasoft security hole

The problem you are seeing is an undesirable side-effect of the way TN5250
is handled by the AS400.  The QPADEV* devices are dynamically assigned
whenever a connect request is processed.  Even though you varied off the
device, when they reset their session, a different device will be selected
and they get another sign on screen.  Probably your best line of defense for
this would be one of the telnet initialization exit points, which could
block telnet requests from troublesome IP addresses.  Are you using any
network security tools, such as Powerlock?  You may want to consider
something like this to help you control access to your system.

Eric DeLong
Sally Beauty Company
MIS-Sr. Programmer/Analyst
940-898-7863 or ext. 1863



-----Original Message-----
From: glea@dextermag.com [mailto:glea@dextermag.com]
Sent: Wednesday, November 14, 2001 1:22 PM
To: MIDRANGE-L@midrange.com
Subject: Mochasoft security hole




We are using Mochasoft for some of our access to the AS/400 both internally
and
externally.  We have the system set up so that it will vary off the device
if
the user keys the incorrect password three times.  We tried a little test
yesterday and found that if the user selects "reset terminal" from the
"Edit"
drop down menu the device will be varied back on and a signon screen will
reappear!  This happens even if the systems administrator has varied off the
device manually.  Has anyone else had this experience and if so, how did you
deal with it?

Gary Lea


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.