RE: Green-screen versus browser

[James Rich <james@xxxxxxxxxxx>]

On Tue, 26 Apr 2005, Rich Duzenbury wrote:

> Hypothetically, I know of a menu application that allows only authorized
> users to update menu items.  That is to say, the F8 key will allow a
> menu update, but F8 is not activated in the display file for
> unauthorized users.
>
> The program code probably goes something like:
>
>    // If the user is allowed to change the menu, activate the F8 key
>    if authorized_to_update;
>        *in28 = '1';   // activate the f8 key
>    endif;
>
>    exfmt the_menu;
>
>    select;
>        *in08 wheneq '1';
>             // process menu update
>
> Notice, the programmer of the menu app assumes that only an authorized
> user can press F8, and never considered that a hacked 5250 client can
> probably set on the F8 key at will.

It is true that a 5250 client could be modified to send back any key at 
all.  It turns out to be quite simple.  The hard part is knowing that such 
a key actually does something.  Unless I'm misreading the 5250 spec, the 
iSeries never sends the hidden fields to the screen in the first place. 
So you wouldn't know that the possibility exists.

However, a network sniffer would allow you to know what the authorized 
people see and do, provided a hub is used and not a switch.  Even if a 
switch is used, it is trivial to run a sniffer on your own box and then 
ask the admin to come over and run the program from your machine.  Of 
course, if you can sniff you can do a lot more than just use it to hack a 
5250 client.

James Rich

It's not the software that's free; it's you.
        - billyskank on Groklaw