× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Vern,

I think you miss the point of this "information vulnerability"

A user can view the results of a display library from the system request
menu, and when they do the user will see the existence of all user profiles,
even though the user does not have read (*USE) authority to those user
profiles.  This is because the library contains references to those objects,
but the DSPLIB command/display does not regulate whether a user can address
the library reference of an object that the user has no authority to.

It's not a big bug, and as you said, not particularly scary, but I'd still
have to call it a bug.

jte



--
John Earl
www.powertechgroup.com  john.earl@powertechgroup.com
The Powertech Group Inc. Seattle, Washington
Where the Security Experts Live!

Phone: +1-253-872-7788 (optional)
Fax:   +1-253-872-7904 (optional)
--
----- Original Message -----
From: "Vernon Hamberg" <vhamberg@attbi.com>
To: <vuldb@securityfocus.com>
Cc: <midrange-l@midrange.com>
Sent: Monday, March 04, 2002 1:59 PM
Subject: OS/400 User Account Name Disclosure Vulnerability


> --
> [ Picked text/plain from multipart/alternative ]
> I'm very happy to see you looking at IBM's AS/400 for possible security
> weaknesses. Having been a user and developer on the AS/400 and its
> predecessor, System/38, for a dozen years, I have seen it to be a very
> secure platform. Properly administered, it would be extremely difficult to
> hack it. It's almost impossible to put a worm or virus or similar item on
it.
>
> This so-called vulnerability is well known and has never been considered a
> weakness in that community. To get to this point, a user is already signed
> on to the system. You cannot get to this through any other means than to
> have signed on to an active session. Therefore, you already have access to
> the machine.
>
> There are settings in the individual user's parameters (contained in an
> object called a user profile) that can limit the ability to use the
command
> line of an interactive session. This would prevent a user from using a
> command called DSPLIB (display library), which would allow a user to see
> the contents of the library called QSYS, where the user profiles are
> stored. Most users would not have the authority to change or delete any of
> these things, unless specifically allowed to.
>
> There is a manual, Tips and Tools for Securing Your iSeries, on the IBM
> iSeries/AS400 site,
> http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/books/c4153005.pdf,
> that might be helpful for you to look at.
>
> Thanks
>
> Vern Hamberg
>
> Would you like to see a challenging little arithmetic puzzle
> that might get you or your kids or grandkids more interested
> in math? Go to <http://cgi.wff-n-proof.com/MSQ-Ind/I-1E.htm>
>
> Sillygism--
>
> Something is better than nothing.
> Nothing is better than a ham sandwich.
> Ergo
> Something is better than a ham sandwich.
> --
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.