if you get physical access to anybox you can hack it.. after all you are already in.. sounds like the security folks don't know much...
But it does sound like they are full of Fear.. tell them you can fix it for $5000.00 and just delete the command arcache. or make it 000 permissions. then send me $500.00 for the suggestion.. 10% finders fee ;-) On 7/23/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
** Axton, Thanks for the imput. I'm actually looking to provide more guidance to our server security team. When I showed them how to create a user from the command line using arcache (an admin user at that) and then access their system they lost their minds. When I created a form and workflow and showed them that I could access their system as root (the owner of the processes) using $PROCESS$ there were strokes, seizures etc. So now they have asked me what else they need to look for, I was hoping that someone in the list new of a white paper or other document that layed out a security plan for Remedy Servers. Thanks, Marc Simmons On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: > > Some other things to consider: > - allowing back ticks in run process commands > - run process directory and access > - sql injection > - relative security of data on the wire (no/weak/strong encryption) > - web: xss vulnerabilities > - form/field/active link permissions > - server hardening > - network architecture for related components > - protocol implementation (malformed packets causing DoS, etc.); they do > exist > > Patch is probably the incorrect term, you are probably looking to > properly configure the system. Only BMC can provide patches, usually > in the form of a stripped binary. > > Axton Grams > > On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > > ** > > > > Hi List, > > > > Does anyone know of a white paper that details the security risks with > > > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > > holes. I know that there are bits and pieces of information in the > > admin/config guides etc. I was just hoping that there would be a doc > that > > consolidated all of that information. > > > > Thanks > > -- > > Marc Simmons > > Remedy Administrator > > > > "Everyday above ground is a good day... the rest is a choice!" > > __20060125_______________________This posting was submitted > > with HTML in it___ > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where > the Answers Are" > -- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" __20060125_______________________This posting was submitted with HTML in it___
-- Patrick Zandi _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"