× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2005

RE: iSeries FTP security

What about the software packages that he listed that DO NOT have this
problem - was it a service to them?  I'm not sure the product marketing and
support folks that had their time wasted by customers wanting fixes for a
non-existent problem would agree.

Kurt

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> Sent: Tuesday, May 17, 2005 4:44 PM
> To: Midrange Systems Technical Discussion
> Subject: RE: iSeries FTP security
> 
> Scott,
> 
> I think we need to compromise between "any valid, authenticated user" and
> it's only a security issue if it's a Windows specific issue like a buffer
> overflow.
> 
> I still think, in this case, he provided a service and I appreciate the
> heads up.
> 
> Rob Berendt
> --
> Group Dekko Services, LLC
> Dept 01.073
> PO Box 2000
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
> 
> 
> 
> 
> 
> "Ingvaldson, Scott" <SIngvaldson@xxxxxxxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 05/17/2005 08:33 AM
> Please respond to
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> 
> 
> To
> <midrange-l@xxxxxxxxxxxx>
> cc
> 
> Subject
> RE: iSeries FTP security
> 
> 
> 
> 
> 
> 
> Of course that would be a serious vulnerability.  But who among us does
> not already know this and should it really be considered an "exploit?"
> As to the second question, you don't need to write a program to secure
> FTP, you can just turn it off.
> 
> The disservice that Mr. Carmel is doing is not in the area of educating
> users on iSeries security, it is in the misposting of these
> "vulnerabilities" in places like Bugtraq and suggesting that these are
> weaknesses inherent in the iSeries.  Maybe I'm off base here, but in my
> mind a true exploit reads something like this: "Attackers can exploit a
> buffer overflow in the login to gain root access..."
> 
> Certainly we can all pay more attention to security and most likely
> every one of us has multiple back doors and unauthorized access points
> on our systems that could be locked down a little tighter.  Should
> something like this really be considered a serious vulnerability: "A
> valid, authenticated user can access and retrieve all of the files that
> he has authority to..."  Or is that how it's supposed to work?
> 
> Should someone post to Bugtraq the fact that many newer iSeries models
> have a port in the back that accepts a standard ethernet cable and will
> allow any "valid, authenticated user" to download all of "the files that
> he has authority to?"  If you unplug your ethernet lines your system
> will be much more secure (and much more useless.)
> 
> Regards,
> 
> Scott Ingvaldson
> iSeries System Administrator
> GuideOne Insurance Group
> 
> 
> 
> -----Original Message-----
> date: Mon, 16 May 2005 15:38:01 -0600 (MDT)
> from: James Rich <james@xxxxxxxxxxx>
> subject: RE: iSeries FTP security
> 
> On Mon, 16 May 2005, Ingvaldson, Scott wrote:
> 
> > I'll certainly agree that many, if not most, shops do not pay enough
> > attention to security.  What I disagree with is that this particular
> > "exploit" is as serious as is implied, based on the requirement of a
> > valid, authenticated user to perform it.  That's like saying that
> > leaving your QSECOFR password set to default and having a direct
> > internet connection is a "serious vulnerability."
> 
> Doing so *does* constitute a serious vulnerability.
> 
> > Certainly, Rob, a sufficiently knowledgeable and talented user could
> use
> > FTP to go after
> >
> /qsys.lib/mylib.lib/myfile.file/mymbr.mbr/../../payroll.file/payroll.mbr
> > and download the payroll file, but should this user have FTP access to
> > this system at all?  Is this really an "exploit" or, to coin a phrase
> > "Working As Designed?"  How difficult is it to write an Exit Point
> > Program to restrict all FTP access to authorized FTP users only?
> 
> So to adequately secure an iSeries I have to write a program?
> 
> Exploits can take advantage of coding flaws, configuration flaws, and
> design flaws.  That something is working as designed does not in and of
> itself mean that it not an exploit.  Look no further than ActiveX for
> proof of that.
> 
> 
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> 
> 
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.