Path: utzoo!attcan!uunet!wuarchive!zaphod.mps.ohio-state.edu!caen!hellgate.utah.edu!fcom.cc.utah.edu!cc.utah.edu!cc.usu.edu!jrd
From: JRD@cc.usu.edu (Joe Doupnik)
Newsgroups: comp.sys.att
Subject: StarGROUP DOS Server insecurities.
Message-ID: <40913@cc.usu.edu>
Date: 25 Oct 90 02:29:45 GMT
Lines: 11


	Has anyone commented on the ability of an ordinary DOS client to
execute the StarGROUP DOS Server command SRV and stop the entire server?
	I pulled the plug on mapping the attutil logical name across the
network where this ability is sitting right in the open as SRV.EXE. The
trick is to edit the file RULES.LST and remove the last line invoking
server file NETSTART.BAT. But this was not quite enough because a user
can use Kermit to log into the Unix server and do exactly the same bad
things via FACE.
	Overall this seems to be a cavernous security hole.
	Joe D.