Niall, LINDESK isn't the flaw, it is the method that the server handled the request from a non-windows browser. They have fixed the problem and the application now works from any OS browser. I ment the info to be a potential security alert. Ron
>>> [EMAIL PROTECTED] 10/31/03 03:49PM >>> I'm not entrely sure what you are saying here. Terminal Services gives you a remote session on the server. You should have to provide a username and password for this. When you get desktop access it is in the security context of the username/password you have provided. If you had full control that rather suggests that they had provided you with an inappropriate username/password. If I log into a server as root using ssh, I don't consider that to be a flaw in ssh. Now I might be misunderstanding what you are saying here, and it could be that LINDESK doesn't honour the credentials you provide it with, but this also doesn't seem like a terminal services flaw... Niall > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ron Rogers > Sent: 31 October 2003 14:05 > To: Multiple recipients of list ORACLE-L > Subject: Win termin services alert > > > List. > Reguarding Windows Terminal services... > It is used to remotely display an action back to the > requesting windows client with software control. Usually used > in a browser application. We have an application that is > "browser based" and we are instructed to use Windows 2000K as > the client. I feel that if an application is "browser based" > I should be able to use and client and browser. I used a > browser on Linux with a "windows terminal services" package > installed and connected to the server via a login/passwd with > a browser. The problem occured when the "software control" > didn't work and I was dropped to the server desktop. I had > full control over the server. I immediatly contacted security....... > > Please be aware of this potential and serious security > problem using terminal services. > > The terminal services package I tested was the LINDESK for linux. Ron > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Ron Rogers > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') > and in the message BODY, include a line containing: UNSUB > ORACLE-L (or the name of mailing list you want to be removed > from). You may also send the HELP command for other > information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Niall Litchfield INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
