Umm, this "vulnerability" is nothing new, TMK, every OS/400 vrm has this
"vulnerability".  Certainly, you don't need SysReq-3-13-5 to do that.  From
any command line:  DSPLIB QSYS.  Most menu-restricted users have access to a
command line from Attn-F9 (Operational Assistant Menu).

Is knowledge of user ID's generally considered to be a "vulnerability"?
Why/how would this be considered a "configuration error"?

- Dan Bale

-----Original Message-----
From: midrange-l-admin@midrange.com
[mailto:midrange-l-admin@midrange.com]On Behalf Of Fritz Hayes
Sent: Monday, February 25, 2002 12:52 PM
To: MIDRANGE-L@midrange.com
Subject: BugTraq Exploit for OS/400


Bugtraq at SecurityFocus.com has reported (2/8/02) a vulnerability to
OS/400 saying with the right system request, the op sys will display all
active User accounts.  Check it out at:

http://online.securityfocus.com/bid/4059

They have classified the problem, IMHO, correctly as a configuration
error.

Interesting to note that this is the only reported Bugtraq for OS/400.

Best Regards

Fritz Hayes
Atwater Associates



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.