× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Recent bugtraq postings


To even use any of the iSeries features mentioned below, I believe you have
to have a the right kind of user profile and password.  You also have to
have a user profile with proper authority.  I doubt you've ever gained
unauthorized access to an iSeries and had the authority to even attempt any
of the subjects below, IMHO of course ;-).

> -------- Original Message --------
> Subject: Re: Recent bugtraq postings
> From: shalom@xxxxxxxxxx
> Date: Mon, April 25, 2005 11:20 am
> To: midrange-l@xxxxxxxxxxxx
>
> Hey,
>
> Contrary to what was mentioned on this forum, the postings on bugtraq do
> not contain any lies and do not contain any technical inaccuracies.
> If you do find any inaccurate statement, I would like to know about it as
soon as possible.
>
> Please, read the postings yourselves and do not rely on second hand
opinion.
>
> Enumerating users via LDAP:
http://www.securityfocus.com/archive/1/394308
> Enumerating users via FTP:
http://www.securityfocus.com/archive/1/394879
> Enumerating users via POP3:
http://www.securityfocus.com/archive/1/395969
> 5250 emulation back-door:
http://www.securityfocus.com/archive/1/394058
> Netcat reverse shell:
http://www.securityfocus.com/archive/1/394753
> FTP canonicalization problem:
http://www.securityfocus.com/archive/1/396628
>
>
> The FTP canonicalization based directory traversal is not IBM's problem,
> it is a problem of the 3rd party security products.
> Some of them were notified prior to publishing,
> and I waited for a reasonable time before posting on bugtraq.
>
> The user enumeration techniques are low severity problems,
> but problems they are, whether by design or by omission.
>
> (I really do not understand why LDAP and POP3 must be turned on by
default,
> but hey, who am I to tell IBM how to package their products?)
>
> On the other hand, the 5250 back-door and the reverse shell are
> potentially dangerous to the corporate environment.
>
> I do not sell solutions - there are enough iSeries solution makers.
> I provide information about problems that sometimes exist in unforeseen
places.
>
> BTW, IBM refused several times to answer my queries about some of the
> issues. I was asked to supply a valid service agreement before anyone
> would talk to me.
>
> Well, I do not even have an iSeries server,
> so this obviously was out of the question..
>
>
> Shalom Carmel

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.