I can get your password

Bill - Have you applied the PTFs that fix the "17 line RPG program" problem from a couple of weeks ago? I believe the DMPSYSOBJ issue is one and the same as this issue that those PTFs fixed. HTH, Steve

I can get your password

What object are you dumping? I would like to revoke authority to the specific object.

I can get your password

Steve, Yes I have that PTF applied. This is another exposure. Bill

I can get your password

Joe, This might be a bit tough. The object is the subsystem description the user is signed onto. Bill

I can get your password

Am I being thick? I can't see the hole. I am using: DMPSYSOBJ OBJ(QINTER) CONTEXT(QSYS) OBJTYPE(*SBSD) bit I do not see any passwords.

I can get your password

Bill, What security level is your system running at and do you have any special authorities? David Morris

I can get your password

Joe, It's not that easy! I've gone about as far as I feel comfortable with dispersing here. I just wanted everyone to know that there was another exposure. Bill

I can get your password

David, To answer your questions: I am a Security Officer, we are at Lvl30, I have AllObj. To answer between the lines: If a user obtains the authority to run DmpSysObj and has read authority to the subsystem description, I believe this will still work. The person supplying this method did not give any caveats as to security level restrictions. Bill

I can get your password

Well, without diclosure how do we know you are not full of BS. My brother told me he knows of proof of aliens but he can't tell anyone, so I must believe him right.

I can get your password

Joe, I understand your apprehension, but I will let my reputation on these forums stand on it's own. I hope you will understand the sensitive nature of this subject and my unwillingness to post the complete method here. My purpose is not tease everyone with a "I know something you don't know", but to put everyone on notice that there are still some holes that need to be filled. I believe that there are a couple of other participants in these forums who also have access to the same source where I obtained this exposure. Hopefully, they will post a confirmation note that there is a problem as well. Bill

I can get your password

Considering Bill's posting history here, it seems unlikely that he would BS us. (And the onus of proof would be on your brother in your example. He would have to prove a positive; you do not have to prove a negative.)

I can get your password

"I just wanted everyone to know that there was another exposure." Bill, Does "everyone" include IBM? Have you reported your finding so that they can issue a fix for it? If yes, what was their reaction and/or response?

I can get your password

Bill, "I believe that there are a couple of other participants in these forums who also have access to the same source where I obtained this exposure. Hopefully, they will post a confirmation note that there is a problem as well." Yes, there is a "son of sniff" RPG program. This one is 34 lines, but is even more dastardly then the first one. This original program gave you the password to whoever happened to be the last one to signon in your subsytem. The new program (which works even with the PTFs for the original exposure applied) lets you name any specific device in your current subsystem. It will provide the password for that user, provided they are signed on. The RPG program only runs at level 30 or below, unless patched to system state (where it can run at level 50). The DMPSYSOBJ command Bill referred to is the equivalent of the RPG program, but will run even at level 50 since it is already system state. It actually takes more than one DMPSYSOBJ command to exploit this particular vulnerability. Bottom line: level 30 gives you a false sense of security. There are *lots* of holes which can be exploited. The above referenced RPG program is just another one of them, and armed with the source nearly anyone could exploit it. The DMPSYSOBJ command by default is not available to regular users, but is to those with a QSYSOPR or QPGMR class. IMHO, they should be excluded too. Doug PS - Last I checked there were only 218 subscribers to the source Bill was referring to (assuming he got it from the same source I did). And no public archives. PPS - The RPG version was posted on July 14. The MI version on the 18th, and the DMPSYSOBJ version today.

I can get your password

Susan, Ouch! Good questions. No, I haven't contacted them. The source(s) of my information have much larger and more respected names than I do, in fact I believe that IBMer's are participants in this information source as well. It took IBM a week last time, let's see what it takes this time. Bill