[16669] in bugtraq
ref advisory #20000907
daemon@ATHENA.MIT.EDU (John McCain)
Fri Sep 8 16:49:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Message-ID: <s9b8f5bd.098@pomeroy.com>
Date: Fri, 8 Sep 2000 14:20:20 -0400
Reply-To: John McCain <jmccain@POMEROY.COM>
From: John McCain <jmccain@POMEROY.COM>
X-To: feedback@foghornsecurity.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Your statements regarding this security "hole" are misleading.
While it is true that not watching write rights to ACL's can lead to network problems, anyone who has undergone any level of Netware training knows the extent to which Novell warns against granting broad property write rights, specifically because of the danger of giving someone rights to another object's ACL. Setting a property level IRF on the ACL property would neither be time consuming nor prone to error.
The dangers of granting write property rights to ACLs is discussed extensively in the training materials for Novell's CNA certification, their base level of certification. I suggest you review these materials before publishing similar warnings, or availing yourself of someone who has.
