|
How would you classify QEZSNDMG? Call QEZSNDMG from the command line, or Go Assist opt 4, or the default Attn key (Assist again). The Send To supports prompting a list of all profiles on the system (presumably working as designed). Would that be a bug too? Eric DeLong Sally Beauty Company MIS-Sr. Programmer/Analyst 940-898-7863 or ext. 1863 -----Original Message----- From: John Earl [mailto:john.earl@powertechgroup.com] Sent: Monday, March 04, 2002 11:13 PM To: midrange-l@midrange.com; vuldb@securityfocus.com Cc: midrange-l@midrange.com Subject: Re: OS/400 User Account Name Disclosure Vulnerability Vern, I think you miss the point of this "information vulnerability" A user can view the results of a display library from the system request menu, and when they do the user will see the existence of all user profiles, even though the user does not have read (*USE) authority to those user profiles. This is because the library contains references to those objects, but the DSPLIB command/display does not regulate whether a user can address the library reference of an object that the user has no authority to. It's not a big bug, and as you said, not particularly scary, but I'd still have to call it a bug. jte -- John Earl www.powertechgroup.com john.earl@powertechgroup.com The Powertech Group Inc. Seattle, Washington Where the Security Experts Live! Phone: +1-253-872-7788 (optional) Fax: +1-253-872-7904 (optional) -- ----- Original Message ----- From: "Vernon Hamberg" <vhamberg@attbi.com> To: <vuldb@securityfocus.com> Cc: <midrange-l@midrange.com> Sent: Monday, March 04, 2002 1:59 PM Subject: OS/400 User Account Name Disclosure Vulnerability > -- > [ Picked text/plain from multipart/alternative ] > I'm very happy to see you looking at IBM's AS/400 for possible security > weaknesses. Having been a user and developer on the AS/400 and its > predecessor, System/38, for a dozen years, I have seen it to be a very > secure platform. Properly administered, it would be extremely difficult to > hack it. It's almost impossible to put a worm or virus or similar item on it. > > This so-called vulnerability is well known and has never been considered a > weakness in that community. To get to this point, a user is already signed > on to the system. You cannot get to this through any other means than to > have signed on to an active session. Therefore, you already have access to > the machine. > > There are settings in the individual user's parameters (contained in an > object called a user profile) that can limit the ability to use the command > line of an interactive session. This would prevent a user from using a > command called DSPLIB (display library), which would allow a user to see > the contents of the library called QSYS, where the user profiles are > stored. Most users would not have the authority to change or delete any of > these things, unless specifically allowed to. > > There is a manual, Tips and Tools for Securing Your iSeries, on the IBM > iSeries/AS400 site, > http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/books/c4153005.pdf, > that might be helpful for you to look at. > > Thanks > > Vern Hamberg > > Would you like to see a challenging little arithmetic puzzle > that might get you or your kids or grandkids more interested > in math? Go to <http://cgi.wff-n-proof.com/MSQ-Ind/I-1E.htm> > > Sillygism-- > > Something is better than nothing. > Nothing is better than a ham sandwich. > Ergo > Something is better than a ham sandwich. > -- > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.