HTTP Security loophole

On Thursday, April 22, 1999, 07:04 AM, Bradley V. Stone wrote: This worked great and prompted for a user id and password when it was executed. But, I found out that if I used cgipgm1 (lower case) in the URL instead of CGIPGM1, the security validation did not happen. So, I added the following line:

 Protect /QSYS.LIB/AS400CGI.LIB/cgipgm1.PGM CGIPGM1P 

Things now work ok. I'm just posting this in case someone runs across this. Who knows why you have to protect both, just something interesting.

---

Uh oh. What if you type a combination of upper and lower in the URL? Like CgiPgm1.Pgm? Does that mean you would have to enter every possible combination of upper and lower case??? Yeeps! href="//www.zappie.net/java"> src="//www.zappie.net/java/_derived/index.htm_cmp_zero110_vbtn_p.gif" width="140" height="60" border="0" alt="Zappie's Java Home" align="middle">

HTTP Security loophole

On Thursday, April 22, 1999, 04:55 AM, Mark Neil wrote: We have a requirement to set up AS/400 to send/receive email to external addresses. We want the email addresses to be of the form user@domain, but the AS/400 default format seems to be user@systemname.domain I understand how to route incoming mail addressed to user@domain to the right place using DNS and MX records, but how do I get the outbound mail to have user@domain (rather than user@systemname.domain) as the sender? The only way I know is to set up an SMTP alias for each user, but this is a pain for 400+ users. Can I get it to default somehow? Any advice gratefully received! Mark Mark, what version of OS/400 are you on? SNADS is as you say USER@SYSTEM. In version 3 the only way I could send an SMTP mail message was to setup a user id with a forward option to a SMTP address. In version 4+, IBM enhanced the SNDDST command so it has a Internet address option and can send to SMTP address without having to setup a user id. JHicks@SUZ.com

HTTP Security loophole

On Thursday, April 22, 1999, 07:14 AM, Joe Pluta wrote: On Thursday, April 22, 1999, 07:04 AM, Bradley V. Stone wrote: This worked great and prompted for a user id and password when it was executed. But, I found out that if I used cgipgm1 (lower case) in the URL instead of CGIPGM1, the security validation did not happen. So, I added the following line:

 Protect /QSYS.LIB/AS400CGI.LIB/cgipgm1.PGM CGIPGM1P 

Things now work ok. I'm just posting this in case someone runs across this. Who knows why you have to protect both, just something interesting.

---

Uh oh. What if you type a combination of upper and lower in the URL? Like CgiPgm1.Pgm? Does that mean you would have to enter every possible combination of upper and lower case??? Yeeps! href="//www.zappie.net/java"> src="//www.zappie.net/java/_derived/index.htm_cmp_zero110_vbtn_p.gif" width="140" height="60" border="0" alt="Zappie's Java Home" align="middle"> You got it. I didn't think to try it, but I just did and you're right. You would have to specify every combination. That's got to be a bug. HREF="http://prairie.lakes.com/~bvstone/"> SRC="http://prairie.lakes.com/~bvstone/images/sig.gif">

HTTP Security loophole

On Thursday, April 22, 1999, 11:44 AM, Bradley V. Stone wrote: You would have to specify every combination. Why wouldn't you simply specify Protect /QSYS.LIB/AS400CGI.LIB/* CGIPGM1P? Steve "Enter any 11 digit prime number to continue . . . "

HTTP Security loophole

I'm on V4R3. My only issue is the admin of setting up so many SMTP aliases for the local AS/400 users so that their domain names don't include the AS/400 host name. If I could get SMTP to use the domain name on its own by default it would be much easier! Mark

HTTP Security loophole

On Thursday, April 22, 1999, 04:55 AM, Mark Neil wrote: We have a requirement to set up AS/400 to send/receive email to external addresses. We want the email addresses to be of the form user@domain, but the AS/400 default format seems to be user@systemname.domain I understand how to route incoming mail addressed to user@domain to the right place using DNS and MX records, but how do I get the outbound mail to have user@domain (rather than user@systemname.domain) as the sender? The only way I know is to set up an SMTP alias for each user, but this is a pain for 400+ users. Can I get it to default somehow? Any advice gratefully received! Mark Mark, I didn't find it very difficult to set the SMTP address for our users. Have you run the CVTNAMSMTP command? This can make it easier to syncronize names between systems by placing the SMTP addresses into the directory entry as a user defined field. I added directory entries for all of our users that were not disabled, had a password, and did not currently have a directory entry. First I ran CVTNAMSMTP. Then I had our security officer built a list of users using dspusrprf to an output file. I then had him build a list of current directory entries. Based on information in these lists, I deleted records from the profile file that did not meet my selection criteria. Next I updated the current directory entries using the CL program that is enclosed. Then I ran an SQLRPGLE program to update and add entries directory entries for users that did not have one. The source for this program follows the CL. This took less than two hours for about 400 users. The one problem caused was when a key employee on maternity leave came back and did not have the directory entry because her password was disabled when I ran this. David Morris

 pgm dclf dire next: rcvf monmsg cpf0000 exec(goto end) if cond(&dxdgn = 'PCTCI') then(do) chgdire usrid(&dxden &dxdgn) + usrdfnfld((SMTPAUSRID SMTP &dxusrp) + (SMTPDMN SMTP 'PLUMCREEK.COM')) + msfsrvlvl(*SYSMS) + prefadr(*SMTP) monmsg cpf0000 enddo goto next end: endpgm 

 DDirEAdd PR /COPY QPROTOSRC,ExcCmd DLocCnt C CONST(%ELEM(LocTab)) DLocTab S 40A DIM(22) CTDATA DAltLoc S 40A DIM(22) CTDATA DUsrPrf E DS EXTNAME(UsrPrf) DLocIdx S 5U 0 DPos S 5U 0 DNxtPos S 5U 0 DUsrD1 S 20A DUsrD2 S 20A DUsrD3 S 20A DFstNam S 22A DLstNam S 22A DMidNam S 22A DFulNam S 52A DUsrD S 52A DLoc S 42A DCmd S 1024A C/EXEC SQL C+ Declare Csr Cursor for C+ SELECT * FROM UsrPrf C+ WHERE UPUPRF ¬= all(SELECT DXUSRP from DIRE) AND C+ UPGRPI = '*NO' AND C+ UPPWON = '*NO ' C/END-EXEC C/EXEC SQL C+ Open Csr C/END-EXEC C EVAL *IN99 = *ON C DOW SQLCod >= *ZEROS AND C SQLCod <> 100 C/EXEC SQL C+ Fetch From Csr into :UsrPrf C/END-EXEC C IF SQLCod >= *ZEROS and SQLCod <> 100 C EVAL Pos = %SCAN(' ': UPTEXT) C EVAL UsrD1 = %TRIMR(%SUBST(UPTEXT: 1: Pos - 1)) C EVAL FstNam = '''' + C %TRIMR( C %SUBST(UPTEXT: 1: Pos - 1)) + C '''' C EVAL NxtPos = Pos + 1 C EVAL Pos = %SCAN(' ': UPTEXT: NxtPos) C IF Pos = NxtPos + 2 C EVAL UsrD2 = %TRIMR(%SUBST(UPTEXT: NxtPos: 2)) C EVAL MidNam = '''' + C %TRIMR( C %SUBST(UPTEXT: NxtPos: 2)) + C '''' C EVAL NxtPos = Pos + 1 C EVAL Pos = %SCAN(' ': UPTEXT: NxtPos) C ELSE C EVAL UsrD2 = *BLANKS C EVAL MidNam = '*N' C END C EVAL UsrD3 = %TRIMR( C %SUBST(UPTEXT: C NxtPos: C Pos - NxtPos)) C EVAL LstNam = '''' + C %TRIMR( C %SUBST(UPTEXT: C NxtPos: C Pos - NxtPos)) + C '''' C IF UsrD2 <> *BLANKS C EVAL UsrD = '''' + C %TRIMR(UsrD3) + ', ' + C %TRIMR(UsrD1) + ' ' + C %TRIMR(UsrD2) + C '''' C ELSE C EVAL UsrD = '''' + C %TRIMR(UsrD3) + ', ' + C %TRIMR(UsrD1) + C '''' C END C EVAL FulNam = '''' + C %TRIMR( C %SUBST(UPTEXT: 1: Pos - 1)) + C '''' C* C* Set location. C EVAL Loc = '*N' C DO LocCnt LocIdx C EVAL Pos = %SCAN(%TRIMR(LocTab(LocIdx)): UPTEXT) C IF Pos <> *ZEROS C EVAL Loc = '''' + %TRIMR(AltLoc(LocIdx)) + '''' C LEAVE C END C ENDDO C* C EVAL Cmd = 'ADDDIRE + C USRID(' + C %TRIMR(UPUPRF) + C ' ' + C %TRIMR(UPSYST) + ') + C USRD(' + C %TRIMR(UsrD) + ') + C USER(' + C %TRIMR(UPUPRF) + ') + C LSTNAM(' + C %TRIMR(LstNam) + ') + C FSTNAM(' + C %TRIMR(FstNam) + ') + C MIDNAM(' + C %TRIMR(MidNam) + ') + C FULNAM(' + C %TRIMR(FulNam) + ') + C LOC(' + C %TRIMR(Loc) + ') + C USRDFNFLD((SMTPAUSRID SMTP ' + C %TRIMR(%SUBST(UPUPRF:1:8)) + C ') (SMTPDMN SMTP + C ''PLUMCREEK.COM'')) + C MSFSRVLVL(*SYSMS) + C PREFADR(*SMTP)' C CALLP ExcCmd(Cmd) C END C ENDDO C/EXEC SQL C+ Close Csr C/END-EXEC C EVAL *INLR = *ON C Return **CTDATA LocTab ... some locations **CTDATA AltLoc ... Alternate names for locations 

HTTP Security loophole

On Friday, April 23, 1999, 01:53 AM, Mark Neil wrote: I'm on V4R3. My only issue is the admin of setting up so many SMTP aliases for the local AS/400 users so that their domain names don't include the AS/400 host name. If I could get SMTP to use the domain name on its own by default it would be much easier! Mark Let me see if I understand. You want to send email to the as/400 with SMTP, but not include the host name in the SMTP addresses. You are saying your email looks like MARK@AS400.DOMAIN.COM. You want the SMTP address to be MARK@DOMAIN.COM. Is that the question? If so then this is a DNS issue. Your DNS server needs to have a mail server defined for the domain. If no mail server is defined for the domain, then you have to include the system name in the SMTP address. On the other hand, if you want to send a email message from the AS/400 to someone with an SMTP address and not have to setup a SNADS account. You want to use something like SNDDST TYPE(*LMSG) TOINTNET((JHICKS@SUZ.COM)) LONGMSG('TEST OF SMTP') The TOINTNET option on the SNDDST command was not available on V3+ you had to send to a SNADS user id before V4. In V3 you could forward a users SNADS messages to a SMTP address so you always had to create a SNADS account. Before you can use the TOINTNET option on SNDDST, you need to create a SMTP gateway account in SNADS. Once you create the SMTP gateway account, use the CHGDSTA command with the SMTPRTE option to tell it to route SMTP addresses to that account. In effect the SNADS still needs an account to store and forward the email but it only needs one for all SMTP. When you setup the account, use the ADDDIRE with PREFADR(NETUSRID *IBM ATCONTXT). This will cause the messages to be forwarded to the SMTP address in the SNDDST command. JHicks@SUZ.com

HTTP Security loophole

On Friday, April 23, 1999, 12:40 PM, Jim Hicks wrote: SNDDST TYPE(*LMSG) TOINTNET((JHICKS@SUZ.COM)) LONGMSG('TEST OF SMTP') I'm using V4R3 and don't see the TYPE(*LMSG) as and option for SNDDST. Are you on V4R4?

HTTP Security loophole

On Friday, April 23, 1999, 12:57 PM, terry ingram wrote: On Friday, April 23, 1999, 12:40 PM, Jim Hicks wrote: SNDDST TYPE(*LMSG) TOINTNET((JHICKS@SUZ.COM)) LONGMSG('TEST OF SMTP') I'm using V4R3 and don't see the TYPE(*LMSG) as and option for SNDDST. Are you on V4R4? We are on V4r3. The *LMSG was added in V3R7. I don't know if you need to do something like setup the SMTP service to have it appear. I have been using it for some time. When we installed V3R7, it did not have the LMSG option or the ability to forward to an SMTP addresses. IBM came out with some PTFs that enhanced the SNADS and allowed you to forward to SMTP addresses. The PTFs and the installation procedures were outlined in an IBM Redbook on EMAIL for the AS/400. After we installed the PTFs and setup the SMTP service, as described in the Redbook, the LMSG option appeared on the SNDDST command. Later when we upgraded to V4r3, the SNDDST command was enhanced to include the TOINTNET option. The LMSG option still appeared. I always assumed that the SMTP options would appear for everyone in V4. But maybe some extra PTF or installation still needs to be done. JHicks@SUZ.com

HTTP Security loophole

On Friday, April 23, 1999, 12:57 PM, terry ingram wrote: On Friday, April 23, 1999, 12:40 PM, Jim Hicks wrote: SNDDST TYPE(*LMSG) TOINTNET((JHICKS@SUZ.COM)) LONGMSG('TEST OF SMTP') I'm using V4R3 and don't see the TYPE(*LMSG) as and option for SNDDST. Are you on V4R4? The IBM Redbook, AS/400 Electronic-Mail Capabilites, SG24-4703-00, appendix B, shows how to use the SNDDST command to send SMTP messages and attachments. It states that you need to install PTFs to get the capability on the following versions: V3r2m0 SF45328 V3r7m0 SF45415 V4R1M0 SF45226 It implies that future versions, after V4r1, would have the feature. JHicks@SUZ.com

HTTP Security loophole

On Friday, April 23, 1999, 12:40 PM, Jim Hicks wrote: On Friday, April 23, 1999, 01:53 AM, Mark Neil wrote: I'm on V4R3. My only issue is the admin of setting up so many SMTP aliases for the local AS/400 users so that their domain names don't include the AS/400 host name. If I could get SMTP to use the domain name on its own by default it would be much easier! Mark Let me see if I understand. You want to send email to the as/400 with SMTP, but not include the host name in the SMTP addresses. You are saying your email looks like MARK@AS400.DOMAIN.COM. You want the SMTP address to be MARK@DOMAIN.COM. Is that the question? If so then this is a DNS issue. Your DNS server needs to have a mail server defined for the domain. If no mail server is defined for the domain, then you have to include the system name in the SMTP address. On the other hand, if you want to send a email message from the AS/400 to someone with an SMTP address and not have to setup a SNADS account. You want to use something like SNDDST TYPE(*LMSG) TOINTNET((JHICKS@SUZ.COM)) LONGMSG('TEST OF SMTP') The TOINTNET option on the SNDDST command was not available on V3+ you had to send to a SNADS user id before V4. In V3 you could forward a users SNADS messages to a SMTP address so you always had to create a SNADS account. Before you can use the TOINTNET option on SNDDST, you need to create a SMTP gateway account in SNADS. Once you create the SMTP gateway account, use the CHGDSTA command with the SMTPRTE option to tell it to route SMTP addresses to that account. In effect the SNADS still needs an account to store and forward the email but it only needs one for all SMTP. When you setup the account, use the ADDDIRE with PREFADR(NETUSRID *IBM ATCONTXT). This will cause the messages to be forwarded to the SMTP address in the SNDDST command. JHicks@SUZ.com Jim, Another reason you might want to set up SMTP names is so that the originator's address can be set. The new TOINTNET parameter applies only to the recipients. That is why I created directory entries for our users. With SNDDST you don't have the ability to overide the user identifier information without setting up a directory entry. David Morris

HTTP Security loophole

Jim, Another reason you might want to set up SMTP names is so that the originator's address can be set. The new TOINTNET parameter applies only to the recipients. That is why I created directory entries for our users. With SNDDST you don't have the ability to overide the user identifier information without setting up a directory entry. David Morris [/i] David is right, it was the originator's address that I was talking about. I want my mail to appear from me as mark@domain.com, not mark@system.domain.com. Thanks to David and Jim for your help on this - I understand now that I do need SMTP names for all my users, and I'll probably use a variation of Davids's code to do this. Cheers, Mark

HTTP Security loophole

On Thursday, April 22, 1999, 11:55 AM, Steve McKay wrote: On Thursday, April 22, 1999, 11:44 AM, Bradley V. Stone wrote: You would have to specify every combination. Why wouldn't you simply specify Protect /QSYS.LIB/AS400CGI.LIB/* CGIPGM1P? Steve "Enter any 11 digit prime number to continue . . . " I have many programs in my CGI library and I don't need PW protection on all of them. HREF="http://prairie.lakes.com/~bvstone/"> SRC="http://prairie.lakes.com/~bvstone/images/sig.gif">

HTTP Security loophole

On Thursday, April 22, 1999, 11:44 AM, Bradley V. Stone wrote: On Thursday, April 22, 1999, 07:14 AM, Joe Pluta wrote: On Thursday, April 22, 1999, 07:04 AM, Bradley V. Stone wrote: This worked great and prompted for a user id and password when it was executed. But, I found out that if I used cgipgm1 (lower case) in the URL instead of CGIPGM1, the security validation did not happen. So, I added the following line:

 Protect /QSYS.LIB/AS400CGI.LIB/cgipgm1.PGM CGIPGM1P 

Things now work ok. I'm just posting this in case someone runs across this. Who knows why you have to protect both, just something interesting.

---

Uh oh. What if you type a combination of upper and lower in the URL? Like CgiPgm1.Pgm? Does that mean you would have to enter every possible combination of upper and lower case??? Yeeps! You got it. I didn't think to try it, but I just did and you're right. You would have to specify every combination. That's got to be a bug. I would suggest instead of just posting here about the bug, that you report the problem to IBM service and request that an APAR be opened; and if you view this as important enough, to request that a PTF be provided. From what I can infer... if the server folds the case to upper for the name in the statements that refer to which program to invoke, then they should be doing the same for comparison tests with the names in the "protect". Regards, Chuck Comments provided "as is" with no warranties of any kind whatsoever.