[Originally sent to Bugtraq; Elias felt it was better suited to Vuln-Dev.] > From: Jeff Carnahan [mailto:tailsat_private] > Sent: Monday, September 03, 2001 1:36 AM [Discussing easily-spoofed session IDs in the Verizon user-account web interface, Jeff noted some results from spoofed requests, including the following.] > One session ID produced the message: > > DFS555I TRAN ACOPT07H ABEND S000,U4010 ; MSG IN > PROCESS: ACOPT07H GETUSGA > INTERNET08448771 > 2001/245 23:20:53 Looks like Verizon is using an IMS (an IBM mainframe DBMS and execution environment, with a queuing architecture, often used for transactional applications like this) backend. That's the usual source of DFS error messages in my experience. "ACOPTO7H" is the transaction name (assigned by the IMS DBA). "GETUSGA" is a parameter, probably a control code for "get user [something]". "INTERNET" is presumably a flag telling the system that this was a web request, and "08448771" may have been the session ID. "2001/245" is the date in year/day-of-year form, of course. It's been a while since I looked at DFS message formats, but I suspect "S000,U4010" means user rather than system abend - the program processing the transaction abended with code 4010. IBM IMS red books are probably available on the IBM web, if anyone's interested in digging further. This information probably isn't particularly useful (I don't think there are any IMS script-kiddies out there), but it should be embarassing for the developers that it gets exposed at all. Michael Wojcik Principal Software Systems Developer, Micro Focus Department of English, Miami University
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 18:29:13 PDT