× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I agree that telling customers that the only way to effectively control 
access to data on the system is by using the native object access control 
mechanisms is a very useful service. The fact that many customers don't is a 
HUGE and very serious issue. 

I do believe, however, that the author either by design or by accident 
incorrectly identifies the source of the problem. Announcing every user 
interface that can be used to access data by an authenticated and
authorizeduser is a disservice. The author's language is such that he
focuses on the
interface used to access authorized data rather than the fact that all 
authenticated users are allowed to access most data.

This is not a security exposure inherent in the system. It is an exposure in 
either the customer's security policy or his/her implementation of it. Yes, 
it's a huge problem, but there is nothing the system can do to prevent an 
authenticated user from accessing data to which he/she is authorized.

If the author would focus on publicizing the real issue, the greater the 
likelihood that fewer people will be confused and ignore the warnings.

On 5/16/05, rob@xxxxxxxxx <rob@xxxxxxxxx> wrote:
> 
> Frankly I think it was a good service to publish this so that I may fix my
> code. And, yes, users who are supposed to ftp files from/to our 400
> should have ftp access. It isn't that hard to write a program to lock
> this down. But with "heads up" notifications from people like this, you
> can fix it before someone exploits your mistake.
> 
> Rob Berendt
> 
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.