Re: Recent bugtraq postings

[Mike.Crump@xxxxxxxxxxxxxxxx]

"I do not sell solutions - there are enough iSeries solution makers.
I provide information about problems that sometimes exist in unforeseen
places."

But your signature line, and your security focus entries point the user to
a site that effectively sells a book on the subject........as the free
downloads refer to the book as well...........






                                                                           
             shalom@xxxxxxxxxx                                             
                                                                           
             04/25/2005 10:20                                           To 
             AM                        midrange-l@xxxxxxxxxxxx             
                                                                        cc 
                                                                           
             Please respond to                                     Subject 
             Midrange Systems          Re: Recent bugtraq postings         
                 Technical                                                 
                Discussion                                                 
             <midrange-l@midra                                             
                 nge.com>                                                  
                                                                           
                                                                           



Hey,

Contrary to what was mentioned on this forum, the postings on bugtraq do
not contain any lies and do not contain any technical inaccuracies.
If you do find any inaccurate statement, I would like to know about it as
soon as possible.

Please, read the postings yourselves and do not rely on second hand
opinion.

Enumerating users via LDAP:   http://www.securityfocus.com/archive/1/394308
Enumerating users via FTP:    http://www.securityfocus.com/archive/1/394879
Enumerating users via POP3:   http://www.securityfocus.com/archive/1/395969
5250 emulation back-door:     http://www.securityfocus.com/archive/1/394058
Netcat reverse shell:         http://www.securityfocus.com/archive/1/394753
FTP canonicalization problem: http://www.securityfocus.com/archive/1/396628


The FTP canonicalization based directory traversal is not IBM's problem,
it is a problem of the 3rd party security products.
Some of them were notified prior to publishing,
and I waited for a reasonable time before posting on bugtraq.

The user enumeration techniques are low severity problems,
but problems they are, whether by design or by omission.

(I really do not understand why LDAP and POP3 must be turned on by default,
but hey, who am I to tell IBM how to package their products?)

On the other hand, the 5250 back-door and the reverse shell are
potentially dangerous to the corporate environment.

I do not sell solutions - there are enough iSeries solution makers.
I provide information about problems that sometimes exist in unforeseen
places.

BTW, IBM refused several times to answer my queries about some of the
issues. I was asked to supply a valid service agreement before anyone
would talk to me.

Well, I do not even have an iSeries server,
so this obviously was out of the question..


Shalom Carmel
-------------
www.venera.com - Exposing iSeries insecurity

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.