Here are a couple more problems with the Tektronix webserver services: (We run the Tektronix 740 Extended) When the people at Tektronix designed the web services, security was in mind. For example, some URLs that require password authentication do generate a key to pass along instead of the plain password. For example, if you download the Job Accounting Records the URL is as follows: http://>/config_job_browse.html?http_password=<alphabet soup>&job_record=30 This is great, except it appears that the key is only generated one time, I can paste this URL into any browser on any machine and view the URL with no restrictions. In walks the History folder, any user that has access to your machine, unless you clear the history, can access any URL viewed by the administrator, including pages that require password authentication. If the administrator ever downloads the Job Accounting log, he/she is required to enter in the admin password. After the password is entered and submitted, the page containing the job accounting links has the following url: http:// >/config_job_links?http_password=<cleartextpassord> Basically, any user that gets noses and decides to browse your History folder can stumble upon this url with the words "http_password=joo" slapping them in the face. Point being made, clear you history if you use the web services for printer administration, and restrict access the ports corresponding to the services you have running. ---------------------------- Blake Frantz Systems Administrator Specialty Care Systems, Inc. blakeat_private ---------------------------- "Our Government, like diapers, should be changed regularly and often for the same reason." - Don't know
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:14 PDT