Robert, > Certain "security classes" will actually tell you it is GOOD to provide
No, they won't. I'd suggest joining a serious security news group/mailing list if you want to test your theory. If we're honest, there are probably many vulnerabilities with Remedy, but it's never become a 'focus of attention' in the world of people who set out to exploit systems. If Remedy were on millions of desktops, or open to the real world, it would be far more likely that someone would notice and pay some attention. But with the huge number of poorly administered servers in the world, there's no point expending any effort. Midtier 5.x/6.0 was indeed a pile of bugs - I recall the 'delete attachment' functionality could be used to delete local files on the server. Even the most junior of developers would have implemented a set of checks for this kind of problem. Midtier 6.3+ is pretty much a re-write (although there is some legacy stuff, for a reason that escapes me), and hence while a set of problems go away, a bunch of problems probably exist (but haven't been discovered). The sheer amount of Javascript in use would imply there are many cross site scripting exploits that one may deploy. Aside from MT we could look at the ARS itself. Again, given it's a system that's used by such a small number of people (in comparison to say, Apache, PHP, Python, Sendmail, Bind, various Perl applications, IE, etc.,) then it's safe to assume that no-one has really tried to 'break it', and if some of these security gurus tried, it's safe to assume they would. The bottom line is, if one had 12 hours to spend on writing a new worm, would you attack one of the new services in Vista or the AR System? The former humilates Microsoft (again) and inconveniences millions, and the latter doesn't do an awful lot for anyone. John Java System Solutions : http://www.javasystemsolutions.com _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
