I am in contact with the QMS customer support and they assured me they will work on the solution to the problem. In the meantime, though, I think it is important to let everyone know about this possible security hole. There's a gapping security hole in QMS-2060 network printer that enables a root access to the printer WITHOUT password protection: According to the printer manual, one has to install file passwd.ftp in the printer in order to establish eligible users and their passwords. After the file has been installed, all the users mentioned in the file HAVE to provide their passwords to log on the printer EXCEPT root, even if root and his password are explicitly mentioned in the file. It means that ANYONE can log on the printer as root, rewrite the passwd.ftp file with an arbitrary file and disable an access to the printer to anyone else. This person can also change the file hosts, that list machines, which are allowed to connect to the printer. So, anyone can rewrite passwd.ftp file and hosts file, print out hundreds of pages directly from his own machine without being registered by the lp accounting system on the server and then put the original files back to cover his tracks. I will post here the solution from QMS as soon as it is found. Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 fburesat_private http://frank.chem.utoronto.ca/electronics
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:01 PDT