The point isn't whether you can "get in". The point is what you can do once you "get in". Some connectivity tools only allow you to execute a routine that already exists as a catalog entry in the U2 environment, and merely scraps the data sent back. Those seem fairly inocuous. However I agree that this ability to execute *any* hacked script once you have a password is a serious security concern. If this was a Microsoft product it would be all over the news. There are plenty of clerks who you give a password to, in order to do things like "process orders from home". You wouldn't want to walk in at 8am Monday morning to find that their bright teenager has used that password to transfer a million dollars into their checking account using your automated banking system. Right? Will Johnson Fast Forward Technologies -----Original Message----- From: Tony Gravagno <[EMAIL PROTECTED]> To: [email protected] Sent: Thu, 26 May 2005 11:13:48 -0700 Subject: RE: [U2] Uniobjects hack
Well, let's not put this all on UO. Almost all of the connectivity tools in our market were written without any thought of security. It's generally assumed that if you have a valid password to the system that you are authorized to use whatever means available to get in. What I don't like is that some/most of the connectivity products in our market don't have any point to point encryption and pass all data in plain text - including user ID's and passwords. Tony Gravagno Nebula Research and Development TG@ removethisNebula-RnD .com Martin Phillips MartinPhillips-at-ladybridge.com |U2UG| wrote: > This is a hole in the Uniobjects security. ... > ... This seems to leave UV/Udt systems > that enable Uniobjects wide open to hacking. Try it! ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
