RE: Green-screen versus browser -- MIDRANGE-L

I am sure that someone like James who has written a 5250 application for 
windows terminals might be able to tell you how easy it would be for such 
an application to trap id's and passwords and store them on a file on the 
PC.  Or record any data entered on a line following the text "SSN" or like 
data.  Twinax can be sniffed, but let's face it.  Most people use 5250 
emulation programs on network cards.  5250 traffic can be sniffed just as 
easily as any other network traffic.  Therefore I don't find it anymore 
secure.

And I am sure that James has high ethical standards, but what is to stop a 
virus on your machine from replacing the code for your twinax emulation 
program with one that does nasties?  And please don't blow me grief over 
whether I had the technical term wrong and instead of a virus I should 
have called it a trojan horse, or ... because you all know what I meant by 
the security exposure.

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





Rich Duzenbury <rduz-midrange@xxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
04/26/2005 01:49 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: Green-screen versus browser






On Tue, 2005-04-26 at 13:05 -0500, Lim Hock-Chai wrote:
> I'm not security expert, but how would a green screen app  be more 
secure that GUI app?  Is it because you isolate the AS400 from the 
internet world?  If so, how is that different from isolate the a GUI app 
from internet?

You don't have to have client software to run it, just a terminal. 

Therefore you can eliminate the 'client side' exposure, such as you
might have with internet explorer.

Green screen apps are also less likely to be susceptible to certain
kinds of attacks that might work on a browser app.  One that comes
immediately to mind is the SQL injection attack.

However, it occurs to me that one might be able to mount an attack on a
green screen app, if one were so inclined.  I've written lots of code
that uses hidden fields in a display file, and often store things like
database keys there, and the fact is that all of the fields on the
display screen are global variables of the program you are running.

With a 5250 client under your own control, you could change any of those
fields at will.  I suspect that almost all 5250 programs expect to run
on a trusted client (either an actual terminal or something like client
access), and thus do not validate output only or hidden fields.

Hypothetically, I know of a menu application that allows only authorized
users to update menu items.  That is to say, the F8 key will allow a
menu update, but F8 is not activated in the display file for
unauthorized users.

The program code probably goes something like:

    // If the user is allowed to change the menu, activate the F8 key
    if authorized_to_update;
        *in28 = '1';   // activate the f8 key
    endif;

    exfmt the_menu;

    select;
        *in08 wheneq '1';
             // process menu update



Notice, the programmer of the menu app assumes that only an authorized
user can press F8, and never considered that a hacked 5250 client can
probably set on the F8 key at will.

This is mostly speculation on my part as I've never bothered to try it,
but I'm sure others on the list can confirm how much manipulation the
display file buffer is subject to.



--
Regards,
Rich

Current Conditions in Des Moines, IA
Overcast
Temp 48.2F
Winds out of the North at 22mph


-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.