Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Mainframe Security

From: ljknews at mac.com (ljknews)
Date: Fri, 2 Nov 2007 09:27:59 -0400
At 2:16 PM +0100 11/2/07, Johan Peeters wrote:


I have been looking at an IBM system. If I do something like this

          ...
           01 txt                             PIC  X(120)
           ....
           string '**'
             into txt
           end-string
           display txt

I get to see ** on sysout followed by what appears to be selected
contents of the data section. This strikes me as somewhat worrysome -
it reminds me of the format string vulnerabilities in C.
Am I just being paranoid?


A program that improperly releases data due to programmer error is
beyond what I consider to be the realm of security.  To me that is
merely bad programming.

To me the criterion is whether an outsider can cause a program to do
something other than what it does for normal users.  Some secret back
door password that causes organizational secrets to be released would
be a Trojan horse.  A typical method of controlling that is with the
security controls on a database, so only authorized users can read the
"company secret" field, no matter how badly the application programmer
messes up.
-- 
Larry Kilgallen
Previous By Date Next
Previous By Thread Next

Current thread: