× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Green-screen versus browser

On Tue, 2005-04-26 at 13:05 -0500, Lim Hock-Chai wrote:
> I'm not security expert, but how would a green screen app  be more secure 
> that GUI app?  Is it because you isolate the AS400 from the internet world?  
> If so, how is that different from isolate the a GUI app from internet?

You don't have to have client software to run it, just a terminal.  

Therefore you can eliminate the 'client side' exposure, such as you
might have with internet explorer.

Green screen apps are also less likely to be susceptible to certain
kinds of attacks that might work on a browser app.  One that comes
immediately to mind is the SQL injection attack.

However, it occurs to me that one might be able to mount an attack on a
green screen app, if one were so inclined.  I've written lots of code
that uses hidden fields in a display file, and often store things like
database keys there, and the fact is that all of the fields on the
display screen are global variables of the program you are running.

With a 5250 client under your own control, you could change any of those
fields at will.  I suspect that almost all 5250 programs expect to run
on a trusted client (either an actual terminal or something like client
access), and thus do not validate output only or hidden fields.

Hypothetically, I know of a menu application that allows only authorized
users to update menu items.  That is to say, the F8 key will allow a
menu update, but F8 is not activated in the display file for
unauthorized users.

The program code probably goes something like:

    // If the user is allowed to change the menu, activate the F8 key
    if authorized_to_update;
        *in28 = '1';   // activate the f8 key
    endif;

    exfmt the_menu;

    select;
        *in08 wheneq '1';
             // process menu update



Notice, the programmer of the menu app assumes that only an authorized
user can press F8, and never considered that a hacked 5250 client can
probably set on the F8 key at will.

This is mostly speculation on my part as I've never bothered to try it,
but I'm sure others on the list can confirm how much manipulation the
display file buffer is subject to.



--
Regards,
Rich

Current Conditions in Des Moines, IA
Overcast
Temp 48.2F
Winds out of the North at 22mph

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.