× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2002

RE: OS/400 User Account Name Disclosure Vulnerability

How would you classify QEZSNDMG?  Call QEZSNDMG from the command line, or Go
Assist opt 4, or the default Attn key (Assist again).  The Send To supports
prompting a list of all profiles on the system (presumably working as
designed).  Would that be a bug too?

Eric DeLong
Sally Beauty Company
MIS-Sr. Programmer/Analyst
940-898-7863 or ext. 1863



-----Original Message-----
From: John Earl [mailto:john.earl@powertechgroup.com]
Sent: Monday, March 04, 2002 11:13 PM
To: midrange-l@midrange.com; vuldb@securityfocus.com
Cc: midrange-l@midrange.com
Subject: Re: OS/400 User Account Name Disclosure Vulnerability


Vern,

I think you miss the point of this "information vulnerability"

A user can view the results of a display library from the system request
menu, and when they do the user will see the existence of all user profiles,
even though the user does not have read (*USE) authority to those user
profiles.  This is because the library contains references to those objects,
but the DSPLIB command/display does not regulate whether a user can address
the library reference of an object that the user has no authority to.

It's not a big bug, and as you said, not particularly scary, but I'd still
have to call it a bug.

jte



--
John Earl
www.powertechgroup.com  john.earl@powertechgroup.com
The Powertech Group Inc. Seattle, Washington
Where the Security Experts Live!

Phone: +1-253-872-7788 (optional)
Fax:   +1-253-872-7904 (optional)
--
----- Original Message -----
From: "Vernon Hamberg" <vhamberg@attbi.com>
To: <vuldb@securityfocus.com>
Cc: <midrange-l@midrange.com>
Sent: Monday, March 04, 2002 1:59 PM
Subject: OS/400 User Account Name Disclosure Vulnerability


> --
> [ Picked text/plain from multipart/alternative ]
> I'm very happy to see you looking at IBM's AS/400 for possible security
> weaknesses. Having been a user and developer on the AS/400 and its
> predecessor, System/38, for a dozen years, I have seen it to be a very
> secure platform. Properly administered, it would be extremely difficult to
> hack it. It's almost impossible to put a worm or virus or similar item on
it.
>
> This so-called vulnerability is well known and has never been considered a
> weakness in that community. To get to this point, a user is already signed
> on to the system. You cannot get to this through any other means than to
> have signed on to an active session. Therefore, you already have access to
> the machine.
>
> There are settings in the individual user's parameters (contained in an
> object called a user profile) that can limit the ability to use the
command
> line of an interactive session. This would prevent a user from using a
> command called DSPLIB (display library), which would allow a user to see
> the contents of the library called QSYS, where the user profiles are
> stored. Most users would not have the authority to change or delete any of
> these things, unless specifically allowed to.
>
> There is a manual, Tips and Tools for Securing Your iSeries, on the IBM
> iSeries/AS400 site,
> http://publib.boulder.ibm.com/html/as400/v5r1/ic2924/books/c4153005.pdf,
> that might be helpful for you to look at.
>
> Thanks
>
> Vern Hamberg
>
> Would you like to see a challenging little arithmetic puzzle
> that might get you or your kids or grandkids more interested
> in math? Go to <http://cgi.wff-n-proof.com/MSQ-Ind/I-1E.htm>
>
> Sillygism--
>
> Something is better than nothing.
> Nothing is better than a ham sandwich.
> Ergo
> Something is better than a ham sandwich.
> --
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.