| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Apr 2005 21:43:52 +0300 From: "Shalom Carmel" <shalom@...era.com> To: "bugtraq" <bugtraq@...urityfocus.com> Subject: Disclosure of AS/400 user accounts via the FTP server Disclosure of AS/400 user accounts via the FTP server Overview --------- AS/400 servers support FTP in two modes, legacy mode and IFS mode, and supports switching between both modes by a special FTP command. When in IFS mode, it is possible to create a special symbolic link file and retrieve the full list of user accounts. Details -------- The iSeries FTP server supports two methods to looks at disk contents. You can view and manipulate existing libraries and database files inside the libraries in the traditional legacy mode, or as part of the Integrated File System (IFS). The iSeries FTP server can be instructed to change the mode from legacy to IFS by special FTP commands. The ADDLNK AS/400 utility creates a symbolic link file in IFS that may act as a pointer to any AS/400 object, including the QSYS library. This utility can be executed from an FTP session by the special RCMD FTP command. When an FTP client connects to an AS/400 server, changes the mode to IFS mode, and lists the contents of a symbolic link pointing at the QSYS library, he receives the full list of user accounts, including last log in date, and account authorities. For full details and sample code please read the PDF file found at http://www.venera.com/downloads.htm Shalom Carmel
Powered by blists - more mailing lists