Disclosure of AS/400 user accounts via the FTP server
Disclosure of AS/400 user accounts via the FTP server
Overview
---------
AS/400 servers support FTP in two modes, legacy mode and IFS mode,
and supports switching between both modes by a special FTP command.
When in IFS mode, it is possible to create a special symbolic link
file and retrieve the full list of user accounts.
Details
--------
The iSeries FTP server supports two methods to looks at disk contents.
You can view and manipulate existing libraries and database files
inside the libraries in the traditional legacy mode,
or as part of the Integrated File System (IFS).
The iSeries FTP server can be instructed to change the mode
from legacy to IFS by special FTP commands.
The ADDLNK AS/400 utility creates a symbolic link file in IFS
that may act as a pointer to any AS/400 object, including
the QSYS library.
This utility can be executed from an FTP session by the special
RCMD FTP command.
When an FTP client connects to an AS/400 server, changes the
mode to IFS mode, and lists the contents of a symbolic link
pointing at the QSYS library, he receives the full list of
user accounts, including last log in date, and account authorities.
For full details and sample code please read the PDF file found at
http://www.venera.com/downloads.htm
Shalom Carmel