Disclosure of AS/400 user accounts via the FTP server

["Shalom Carmel" <shalom () venera com>]

Disclosure of AS/400 user accounts via the FTP server

Overview
---------
AS/400 servers support FTP in two modes, legacy mode and IFS mode, 
and supports switching between both modes by a special FTP command. 
When in IFS mode, it is possible to create a special symbolic link 
file and retrieve the full list of user accounts.

Details
--------
The iSeries FTP server supports two methods to looks at disk contents. 
You can view and manipulate existing libraries and database files 
inside the libraries in the traditional legacy mode, 
or as part of the Integrated File System (IFS).

The iSeries FTP server can be instructed to change the mode 
from legacy to IFS by special FTP commands.

The ADDLNK AS/400 utility creates a symbolic link file in IFS
that may act as a pointer to any AS/400 object, including 
the QSYS library. 

This utility can be executed from an FTP session by the special 
RCMD FTP command.

When an FTP client connects to an AS/400 server, changes the 
mode to IFS mode, and lists the contents of a symbolic link 
pointing at the QSYS library, he receives the full list of 
user accounts, including last log in date, and account authorities.



For full details and sample code please read the PDF file found at 
http://www.venera.com/downloads.htm

Shalom Carmel