What are the security exposures from the current www clients?

What are the security exposures from the current www clients?

Post by Ken Paquet » Sat, 17 Dec 1994 12:15:10



Folks around heere are gun shy.  What are the exposures of running the current
set of www clients?  Can someone break in or plant a trojan horse?

Thanks
---------------------------------------------------------------------------
Ken Paquette; IBM Microelectronics Division; Distributed Computing Services

IBMMAIL: USIB1X62; X.400  c=us; a=ibmx400; p=ibmmail; s=paquette; g=paquetk

 
 
 

1. Unicenter security exposure? - logging invalid userids

I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.

The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.

I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.

Andrew Rowley

2. Mouse help for absolute newbie

3. Unicenter security exposure - recording invalid userids

4. Setting up "dual identity" for a laptop??

5. ELF a security exposure?

6. Debian Newbie

7. What is the security exposure with ftp scripts?

8. Why is this happening?

9. security exposure?

10. client exposure

11. I am looking for Linux Security FAQ and Security related sites

12. SECURITY/WWW: The Linux Security Home Page

13. Current options for commerce over WWW?