× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Recent bugtraq postings

Well..I don't know if they're inaccurate, but IMO they are a tad
misleading. Yes, you can access a PC from an iSeries using rexec..but
you can also access a mainframe from a MacIntosh using rexec. STRPCO
and STRPCCMD and RUNRMTCMD aren't  security exposures - they're
designed to work that way. It would be like saying that "If someone
initiates a terminal session on a UNIX system, they could use the rm
backdoor to delete files!".


> -------- Original Message --------
> Subject: Re: Recent bugtraq postings
> From: shalom@xxxxxxxxxx
> Date: Mon, April 25, 2005 11:20 am
> To: midrange-l@xxxxxxxxxxxx
> 
> Hey,
> 
> Contrary to what was mentioned on this forum, the postings on bugtraq do
> not contain any lies and do not contain any technical inaccuracies. 
> If you do find any inaccurate statement, I would like to know about it as 
> soon as possible.
> 
> Please, read the postings yourselves and do not rely on second hand opinion.
> 
> Enumerating users via LDAP:   http://www.securityfocus.com/archive/1/394308
> Enumerating users via FTP:    http://www.securityfocus.com/archive/1/394879
> Enumerating users via POP3:   http://www.securityfocus.com/archive/1/395969
> 5250 emulation back-door:     http://www.securityfocus.com/archive/1/394058
> Netcat reverse shell:         http://www.securityfocus.com/archive/1/394753
> FTP canonicalization problem: http://www.securityfocus.com/archive/1/396628
> 
> 
> The FTP canonicalization based directory traversal is not IBM's problem, 
> it is a problem of the 3rd party security products.
> Some of them were notified prior to publishing, 
> and I waited for a reasonable time before posting on bugtraq.
> 
> The user enumeration techniques are low severity problems, 
> but problems they are, whether by design or by omission. 
> 
> (I really do not understand why LDAP and POP3 must be turned on by default,
> but hey, who am I to tell IBM how to package their products?)
> 
> On the other hand, the 5250 back-door and the reverse shell are 
> potentially dangerous to the corporate environment. 
> 
> I do not sell solutions - there are enough iSeries solution makers.
> I provide information about problems that sometimes exist in unforeseen 
> places.
> 
> BTW, IBM refused several times to answer my queries about some of the 
> issues. I was asked to supply a valid service agreement before anyone
> would talk to me. 
> 
> Well, I do not even have an iSeries server, 
> so this obviously was out of the question..
> 
> 
> Shalom Carmel
> -------------
> www.venera.com - Exposing iSeries insecurity
> 
> -- 
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.