Reader Feedback and Insights: Security Flaws
September 11, 2002 Timothy Prickett Morgan
Hey, Ted:
The Validating a User Password sample program in the August 21 issue of Midrange Guru, OS/400 Edition, has some basic security flaws. As you said, the Check Password (CHKPWD) command can produce any of three messages (CPF2362, CPF2363, and CPF2364). The problem is that the program only monitors for one of those messages. The program works correctly for the CPF2362 message but it fails for the other two. When it gets either of these two error messages (because the user has intentionally given a bad password several times in a row) the program will function check and then end. This will allow any user to get at the function you were trying to protect with the password.
|
— Ed Fishel
edfishel@us.ibm.com
Thanks for taking the time to write, Ed.
The code in Midrange Guru is for illustrative purposes only. It is not meant to be an industrial-strength solution. I assume that the readers of this publication are intelligent people and will adapt published techniques to their specific situations.
If any reader wants to provide a more robust piece of source code, I will be glad to publish it.
— Ted
Sponsored By WORTH CONSULTING |
Improve Legacy Programs with Super/Windows Summary: This newly released tool for the iSeries is used to improve user and programmer productivity and efficiency. Pop-up windows (or selection windows) are what users want to make their jobs easier and more accurate. They have been exposed to “list boxes” when on the Internet or when using a typical windows-based program. This feature makes it so that the user does not need those sticky notes and reference material at their grasp to know what value to key in entry fields. Programmers have been reluctant to put the selection window feature in entry programs because it takes substantial programming efforts to build the information and display it on the screen. It also requires major additions to the display files. Super/Windows easily enables pop-up selection windows to your application programs in an affordable manner. Very few changes are required to be made to your existing RPG, COBOL, and CL programs. Changes to your display files are not needed! Your existing code or table files are used to populate the information in the windows from which your users make selection. You can also use the codes file (and maintenance program) that is included with Super/Windows. One of Super/Windows’ functions generates the program source for each file ID using a simple entry program where the file and descriptive information is recorded. The source can be modified to return additional fields. You do not have to make wholesale changes to your application software, can optimize your staff’s existing skills, and little user training is needed. They will welcome Super/Windows with open arms! Business Owner Benefits:
Programmer Benefits:
User Benefits:
Click here to learn more about Super/Windows. |