[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security issues regarding FTPAPI and PowerTech

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: Security issues regarding FTPAPI and PowerTech
From: Scott Klement <sk@xxxxxxxxxxxxxxxx>
Date: Sun, 15 Feb 2004 17:32:18 -0600 (CST)
Cc: John Earl <John.Earl@xxxxxxxxxxxxxxxxxx>
In-reply-to: <Law10-OE2220h08xWI000054333@hotmail.com>
References: <Law10-OE2220h08xWI000054333@hotmail.com>
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Sender: Scott Klement <sk@xxxxxxxxxxxxxxxx>

Hi Steve,

I'm not familiar with the "POWERLOCK" security software.  I don't know
what it does or how it works, so it's a little hard for me to comment on
why it may not block FTPAPI.

However, I can tell you this:   FTPAPI is a program that implements FTP
according to the standard for FTP released by the Internet Engineering
Task Force.  (Which, to my knowledge, is the ONLY standard for FTP.)

FTPAPI is just an RPG program written using standard system APIs.  If
you're telling me that the ability to bypass your security measures is a
bug in FTPAPI, then I'd submit that any other program on your system could
easily do the same thing to bypass your security measures.   Anyone with
the ability to compile or install compiled objects on your system can
compromise it at any time.

Trying to fix this problem by changing FTPAPI would be like locking a door
on a house with no walls -- sure, you might stop one particular person
from entering in one particular way, but since anyone can walk around it,
it's kind of pointless.

Clearly, if POWERLOCK is intended to be able to stop anyone from using FTP
on your system, then you've discovered a bug in POWERLOCK -- not in
FTPAPI.

On Thu, 12 Feb 2004, Steve Landess wrote:
>
> I have installed the FTPAPI routines on a system that has PowerTech's
> POWERLOCK security software running.  As a security test, through
> POWERLOCK we locked down FTP access to the iSeries system for my user
> profile.
>
> We discovered that POWERLOCK doesn't prevent me from calling your
> routines to GET or PUT a file, apparently since FTPAPI isn't considered
> to be "FTP" in the iSeries definition of FTP.  How would we go about
> securing FTPAPI, other than through native security methods?
>
> This may also be a question for John Earl...I'm also copying him.
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubsribe from the list send mail
to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
-----------------------------------------------------------------------

References:
- Security issues regarding FTPAPI and PowerTech
  - From: Steve Landess

Prev by Date: Re: FTP Client Subcommand QUOTE
Next by Date: AW: FTP Client Subcommand QUOTE
Previous by thread: Security issues regarding FTPAPI and PowerTech
Next by thread: AW: FTP Client Subcommand QUOTE
Index(es):
- Date
- Thread