Re: Vamp Hacked!

From: Larry Kilgallen (Kilgallen_at_SpamCop.net)
Date: 09/29/05 

Date: 29 Sep 2005 13:06:17 -0500

In article <11jnn8dbv114pdc@corp.supernews.com>, "issinoho" <issinoho@gmail.com> writes:
>
> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote in message
> news:RNxkCKGwj88x@eisner.encompasserve.org...
>> In article <11jnlqpcd9j2l79@corp.supernews.com>, "issinoho"
>> <issinoho@gmail.com> writes:
>>
>>> As to the latter, a combination of MySQL and Apache logs revealed a
>>> scripted
>>> attack at 19:33 on the 27th which exploited a vulnerability in phpBB (the
>>> bulletin board system the site is using) to gain Admin access. The
>>> version
>>> of phpBB being used by VAMP (2.0.11) was a little aged and I had been lax
>>> in
>>> keeping it patched so maybe I had this coming!
>>
>> Hindsight is wonderful, but it is better to rely on authentication
>> mechanisms within (or mediated by) VMS rather than applications that
>> roll their own. On current Alpha versions (not VAX) your application
>> can call the $ACM system service for authentication purposes.
>>
>> If you need services not native to VMS, like smart card support,
>> you can attach those to the other end of the VMS ACME mechanism.
>> Doing this is harder to program that simply slapping authentication
>> into an application because there is less flexibility. That means
>> better security through a disciplined interface that has seen review
>> and includes breakin evasion, etc.
>
> All noted. Although as this is by definition an anonymous public resource,
> it makes nailing things down like you suggest somewhat tricky.

If Administrative Access is supposed to be anonymous, there is no hope.

Relevant Pages

  • Re: PLUG: PMAS
    ... analogue cellphones, it won't work for analogue TV, why should SMTP be any ... There are two forms of this Simple Authentication ... MTAS and SMTP-AUTH + TLS between MUAs and MTAs. ... Again SMTP provides similar mechanisms through the use of either S/MIME or PGP. ...
    (comp.os.vms)
  • Re: Vamp Hacked!
    ... >> bulletin board system the site is using) to gain Admin access. ... > can call the $ACM system service for authentication purposes. ... > If you need services not native to VMS, like smart card support, ...
    (comp.os.vms)
  • using SYS$ACM to authenticate arbitrary windows user?
    ... I've now got the authentication ... working properly for a VMS account with either ... mapped to a VMS username via the EXTAUTH flag). ...
    (comp.os.vms)
  • Re: Authenticating CSWS against Active Directory?
    ... The current mod_auth_openvms module only supports UAF-based authentication. ... flag set in their UAF record. ... > I have a number of pages on this server which are protected by VMS ... > account, but they all have active directory accounts for their various ...
    (comp.os.vms)
  • Re: Vamp Hacked!
    ... > bulletin board system the site is using) to gain Admin access. ... but it is better to rely on authentication ... can call the $ACM system service for authentication purposes. ... If you need services not native to VMS, like smart card support, ...
    (comp.os.vms)