Possible instant access security hole

Similar Messages

• Possible Login Screen Security Hole in Lion?

  I think that I have found a glitch in the login screen in Lion that allows a user to hack in to an account without a password! It appears to occur on Macbooks with OS X Lion and here is how to reproduce it:
  Make sure that you account is password-protected and that you require a password 5 seconds after the screen saver/sleep begins. Also, be sure that you have the default "hot corner" settngs and OS X Lion. Lastly, make sure that Finder is on the farthest left icon on your dock and that your screen saver is set to spectrum!
  Close all open windows to see your desktop.
  Now, close you Macbook lid, wait 10 seconds, and open it up. You should see a screen similar to the one shown below, but with your wallpaper & info: 
  Now forcefully (yes, forcefully) restart your Mac by pressing down command, control, and the power button at the same time.
  Wait for your Mac to start up and you should see the same screen you saw (like the image above.)
  Click in the battery/time/wifi signal/etc. area in the top right corner without mousing over the courner.
  Now, mouseover the top right corner of the screen, as it will launch some kind of odd "mission control". From there, ANYONE can control your Mac without seeing your screen. From there, mouse over where you think Finder is on the dock (in the bottom-left corner of the dock) without mousing over and corners of the screen and click it. That SHOULD launch finder on your Mac.
  The login screen should reappear! (Odd, isn't it?)
  Now, mouseover the bottom-left corner and hold esc as soon as the screen turns completely dark. If sucessful, you should see your screensaver show up. While holding esc, move your mouse around towards the bottom-right corner. You should see your cursor over top of the "wheel of doom".
  The screen should flicker and you have hacked in to your account! Funny, isn't it?
  You should see finder over top of your desktop if you located finder correctly in step 7! Cool?
  If you are not sucessful, restart the entire process from step 4 and skip steps 7-8. If it doesn't work out for you after a few attemps, give up! Let's not waste any time on hacking in to an account (unless you are a hacker.)
  Is it just me or can anyone else reproduce this? If it occurs (or not), please list your Macbook's specs and details in a reply.

  jonathan_2005 wrote:
  One of the options in the security panel permits a user to require that a username and password be entered to login once the screen saver locks your account.
  The option is "Require password to wake this computer from sleep or screen saver"
  Although one would assume that the credentials required to wake the computer is the username/password of the account that was being used when the computer went into sleep mode or the screen saver.
  Never assume
  WRONG!!! Anyone with an account on the machine can enter their username/password and wake the computer and voila that user now has control of the machine as the former user. That's right you guessed it HUGE security hole.
  Anyone with a standard user account? Are you quite sure?
  Anyone thinking that they can wake away from their machine and have the screen saver or sleep mode protect their account after a specified period of time is sadly mistaken. Anyone with an account on the machine can enter their own username and password and drop right into your account right where you left off.
  I never think that way. A more secure lock is ensured by using the screen lock feature of the keychain.
  Can you believe this stuff?
  Not sure what stuff you refer to.
  No warning, no release note to tell you of such a poorly designed "security" option.
  Would you believe that anyone can access your computer? Stolen computers are regularly started up without much problem.
  Apple please fix what must have been an oversight or at least tell people about this intentional design BEFORE they find anyone can wake the computer and become you as a user.
  You are writing to other users like yourself here, not Apple.
  I also presume you are new to the Mac world.

• IGS: Vulnerability "security hole in level 3"

  Hi!
  We are using SAP ERP 6.0 system with an ingetrated IGS 7.0
  We already changed IGS according to sap note 896400 to the version 7.00 (Patch 15)
  When we run scan on demand we get the following information: 
  A security hole in level 3 was found at server ServerX.
  Vulnerability-Level [highest]: 3
  Vulnerability-Level [highest counted]: 0
  Vulnerability Details
  Date: Sun 10 May 2009  1:26:13 MET
  Vuln: 300803
  Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
  ToDo: Set up a project to implement access restriction rules to RFC programs
  with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
  CertRef: M906071, SAP 30/08
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  Date: Sun 10 May 2009  1:26:17 MET
  Vuln#: 100806
  Vulnerability: External Server Registration is possible at sysnr 3
  ToDo: Secure remote registration of RFC programs (only possible in SAP Basis
  7.00 and later)
  CertRef: M906071
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  Date: Sun 10 May 2009  1:26:17 MET
  Vuln#: 101802
  Vulnerability: IGS HTTP Administration is enabled and this version has
  reported vulnerabilities at sysnr 3
  ToDo: Upgrade to a higher patch level, i.e., for BC-FES-IGS 6.40 Patch Level
  17 or higher and for  BC-FES-IGS 7.00 Patch Level 07 or higher
  CertRef: SAP 34/09
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  End of Vulnerability Details
  Question:
  What we have to do to avoid s security holein level 3?
  Thank you very much!
  regards

  Do you solved tye probllem below. ???  Can you help me.
  I have the same problem.
  What the format of secinfo, reginfo and what value to to profile gw/reg_no_conn_info ??
  Thanks,
  Vulnerability Details
  Date: Sun 10 May 2009 1:26:13 MET
  Vuln: 300803
  Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
  ToDo: Set up a project to implement access restriction rules to RFC programs
  with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
  CertRef: M906071, SAP 30/08
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:

• IGS: Vulnerability (security hole in level 3 was found)

  Hi!
  We are using SAP ERP 6.0 system with an ingetrated IGS 7.0
  We already changed IGS according to sap note 896400 to the version 7.00 (Patch 15)
  When we run scan on demand we get the following information: 
  A security hole in level 3 was found at server ServerX.
  Vulnerability-Level [highest]: 3
  Vulnerability-Level [highest counted]: 0
  Vulnerability Details
  Date: Sun 10 May 2009  1:26:13 MET
  Vuln: 300803
  Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
  ToDo: Set up a project to implement access restriction rules to RFC programs
  with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
  CertRef: M906071, SAP 30/08
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  Date: Sun 10 May 2009  1:26:17 MET
  Vuln#: 100806
  Vulnerability: External Server Registration is possible at sysnr 3
  ToDo: Secure remote registration of RFC programs (only possible in SAP Basis
  7.00 and later)
  CertRef: M906071
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  Date: Sun 10 May 2009  1:26:17 MET
  Vuln#: 101802
  Vulnerability: IGS HTTP Administration is enabled and this version has
  reported vulnerabilities at sysnr 3
  ToDo: Upgrade to a higher patch level, i.e., for BC-FES-IGS 6.40 Patch Level
  17 or higher and for  BC-FES-IGS 7.00 Patch Level 07 or higher
  CertRef: SAP 34/09
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:
  End of Vulnerability Details
  Question:
  What we have to do to avoid s security holein level 3?
  Thank you very much!
  regards

  Do you solved tye probllem below. ???  Can you help me.
  I have the same problem.
  What the format of secinfo, reginfo and what value to to profile gw/reg_no_conn_info ??
  Thanks,
  Vulnerability Details
  Date: Sun 10 May 2009 1:26:13 MET
  Vuln: 300803
  Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
  ToDo: Set up a project to implement access restriction rules to RFC programs
  with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
  CertRef: M906071, SAP 30/08
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:

• Any security hole in this programm?

  The code below is a benchmarking harness for sorting algorithms.
  //a driver
  public class TestSort {
       static Object[] testData = {
            0.3, 1.3e-2, 7.9, 3.17
       public static void main(String[] args) {
            // TODO Auto-generated method stub
            Sort bsort = new SimpleSortDouble();
            SortMetrics metrics = bsort.sort(testData);
            System.out.println("Metrics: " + metrics);
            for (int i = 0; i < testData.length; i++)
                 System.out.println("\t" + testData);
  //used for storing statistic data
  public class SortMetrics implements Cloneable {
       public long probeCnt,               //data probes
            compareCnt, //comparing two elements
       swapCnt;     //swapping two elements
       public void init()
            probeCnt = swapCnt = compareCnt = 0;
       public String toString()
            return probeCnt + " probes" + compareCnt + " compares" + swapCnt + " swaps";
       /**overriding clone */
       public Object clone()
            try
                 return super.clone();
            catch (CloneNotSupportedException e)
                 throw new InternalError(e.toString());
  //this is the main framwork
  public abstract class Sort {
       private Object[] values;
       private final SortMetrics curMetrics = new SortMetrics();
       /** Invoked to do the full sort*/
       public final SortMetrics sort(Object[] data)
            values = data;
            curMetrics.init();
            doSort();
            return getMetrics();
       public final SortMetrics getMetrics()
            return (SortMetrics)curMetrics.clone();
       protected final int getDataLength()
            return values.length;
       protected final Object probe(int i)
            curMetrics.probeCnt++;
            return values[i];          
       protected final int compare(int i, int j)
            curMetrics.compareCnt++;
            Object d1 = values[i];
            Object d2 = values[j];
            if (d1 == d2)
                 return 0;
            else
                 return (Double.parseDouble(d1.toString()) > Double.parseDouble(d2.toString()) ? -1 : 1);
       protected final void swap(int i, int j)
            curMetrics.swapCnt++;
            Object tmp = values[i];
            values[i] = values[j];
            values[j] = tmp;
       protected abstract void doSort();
  //used to define a sorting alogrithm
  public class SimpleSortDouble extends Sort {
       @Override
       protected void doSort() {
            // TODO Auto-generated method stub
            for (int i = 0; i < getDataLength(); i++)
                 for (int j = 0; j < getDataLength() - i; j++)
                      if (compare(i, j) > 0)
                           swap(i, j);
  This is a question in �the java programming language(Third Edition) Page102�. I was required to find at least one security hole in �Sort� class that would let a sorting algorithm cheat on its metrics without being caught, assuming that the sorting algorithm author doesn�t get to write method �main�.
  In my naive opinion this framework is well-designed, since I find all the access method that shouldn�t be extended are declared final. It�s really hard for me to figure out any security problem.
  I�m very eager to know the answer, please enlighten me!

  How about this
  Object[] theList = new Object[getDataLength()];
  for(int i=0; i<theList.length; i++){
    theList[i] = probe(i);
  // we now have a local copy of the list.
  // we can do as many comparisions as we like on our local copy,
  // and just mirror the swaps with the sorting algorithm.
  for (int i = 0; i < getDataLength(); i++)
    for (int j = 0; j < getDataLength() - i; j++)
        if (theList.compareTo(theList[j] > 0)     
  swap(i, j);
  Thus we can falsify the number of comparisions we actually do.
  With a bit more effort, you can sort the list, figure out the minimum number of swaps needed to move the original list to the sorted one, and apply those ones.
  The trick is to avoid calling probe, compare and swap as much as possible.By calling probe once for each element, we no longer have to call compare to compare them.

• SQ02 Infoset - security hole

  Hi,
  I have heard, that SQ02 (creating Infosets) has several security holes (regarding authority). Does anybody know about it and could specify these holes?
  Thanks
  Markus

  Hi
  Steps on how to proceed to create a Query:
  ADHOC QUERY
  A query can be created to extract information from master records  i.e  Infotypes.  For example, by creating a query , the data relating to an employee contained in various Infotypes can be extracted.
  Proceedure :  
  Decide on  the various Infotypes we  want to make the query.  Decide on the area where we  want to query  i.e  Global area or Standard area.  Standard area is client specific and globel area will include all clients.
  Menu : HR – PM – Admn -  Information System -  Adhoc Query
  Select area standard and select the  user group already created
  Creation of new query  :  
  TC SQ03  -  Select Environment – Select Standard Area -  Enter  --  If new user group is to be created, enter name of the user group, click on create and enter necessary information and  exit after saving
  TC SQ02  -  Enter name of the Infoset – Create – enter name of Infoset -  Data source -- >  Table join by basis table – give name of table e.g  pa0000 -  Enter -  Click on insert table if we  want to include more tables – give name of table one by one and after finishing,  place cursor on the joining lines and right click to delete unwanted relationships  - check  - and go back  - field groups  -  include all table fields  - click on generate button   -  go out
  TC SQ03  -  Select user group  -   eg.  Payroll
  Infoset  - Enter name of newly created Infoset 
  Assign users and Infosets  -  Assign infosets  -  put tick on payroll  - save and go back
  TC  PAAH  -  Expand the nodes and put tick on relevant fields depending upon necessity
  Save the query  by giving the same name as infoset for easyness..
  Use
  The InfoSet Query is designed for reporting on data stored in flat tables. It is particularly useful for reporting on joins for master data and joins for ODS objects.
  Prerequisites
  You must take the following steps before you can create Infoset queries:
  ·        Set up Roles for the InfoSet Query
  ·        Process Classic InfoSets and Assign Roles
  Procedure
  Define the InfoSet Query
         1.      Call the Query Builder. There are various ways of doing this:
  To call the Query Builder from the corresponding role menu or from the BEx Browser, double-click on the InfoSet Query entry in the menu that is created when you set up a role.
  Developers and testers of Classic InfoSets are able to call up the Query Builder directly from the Classic InfoSet overview in the Administrator Workbench.
  If several Classic InfoSets are assigned to a role, and one of them has been identified as a standard Classic InfoSet, this Classic InfoSet is used as a template when the query is called up. To change the template, choose Create New Query – Classic InfoSet Selection. Any of the Classic InfoSets that are assigned to the role can be the new template.
         2.      Define your query. The procedure is similar to the procedure for defining queries in the BEx Analyzer.
  Transfer individual fields from the field groups you have selected in the Classic InfoSet into the preview. To do this, use the drag and drop function, or highlight the relevant fields in the field list.
  Use either of these two methods to select any fields you want to use as filters. These fields are displayed in the Selections area of the screen (top right).
  When you are preparing the query, only example data is displayed in the Preview. When you choose the Output or Refresh function, the actual results are displayed on the same screen.
         3.      Execute the query.
         4.      Choose from the following options:
  Ad hoc reporting
  You do not want to save the query for later. Save the Query Builder without saving.
  Reusable queries
  You want to save the query, because you want to work on it later, or use it as a template. Use either the Save or the Save as function to save the query.
  In addition to the Classic InfoSets that you assigned to the role, you are also able to use the query as a template. It is not possible, however, to access the query from other roles.
  After you save the query, a second dialog box appears, asking you if you want to save the query as a separate menu entry within the role. If you choose this option, you are able to start the query directly from the user menu or from the BEx Browser. It is also possible to use the Role Maintenance transaction (PFCG) to save this kind of role entry.
  Choose Menu ® Refresh to display the query.
  If you want to change or delete the saved query, use the Edit function from the context menu in the BEx Browser to call the maintenance tool for InfoSet Queries with this query as a template.
  InfoSet Query on the Web
  It is possible to publish each InfoSet Query on the Web. There are the following display options:
  ·        MiniALV for creating MiniApps in the SAP Workplace
  ·        MidiALV without selection options
  ·        MidiALV with selection options
  Both the MiniALV and the MidiALV allow you to switch between various selection/layout variants. The publishing screen for the data is adjusted individually using URL parameters.
  The following prerequisites are necessary for security reasons:
  Releasing the query for the Web
  Specifying an authorization group for the corresponding Classic InfoSet
  Call up transaction RSQ02 InfoSet: Entry, and choose Go to ® Additional Functions ® Web Administration of Queries. Make the corresponding entries.
  Reward all helpfull answers
  Regards
  Pavan

• MSI Website(s) Security Holes (2014 preview?)

  Hello guys,
  weeks ago I discovered several security holes on *.msi.com websites. I contacted MSI several times (3 MSI facebook accounts, 2 EMail adresses) and told them where the security holes are located and what an attacker could do with this holes - but they ignored me: They didn't reply (They publish stuff on facebook and dont read the messages I send them on fb ...? - emails are the same) and they didnt fix the holes. This is just irresponsible so I just wanted you to know that most msi websites are unsafe so you shouldn't register etc because it's easy to get access to the database-server(s). If you want something like a "proof" - just contact me,
  Edited out threats and foul language -xmad
  to other users: Please dont give any personal information to MSI, be carefull if you visit their websites. I'll tell you once they fixed the security holes (Okay well, only if they dont delete this post)
  to those MSI guys: Stop ignoring me, check your Facebook and mail accounts and just talk to me and fix the security holes. And well, would be pretty nice to get a reward for my work (In my opinion it jsut would be fair). And well - if you delete this post I'll publish everything TODAY, with detailed PoC.
  Have a nice day,
  The Captain

  First of all - sorry for using foul language and thanks to xmad to let me post again
  MSI now fixed all security holes I discovered, but if you are registered on any *.msi.com website, please change your password. If you use the same email and password on other websites, please change your password there too. I was able to gain access to several databases, so it's possible that somebody else was able to do this too.
  If somebody is interested in the timeline (dates are in dd.mm.yyyy format):
  08.12.13 Discovered first security hole and contacted MSI via email
  09.12.13 Discovered 30 other security holes
  10.12.13 Contacted MSI
  16.12.13 Contacted MSI
  18.12.13 Contacted MSI
  19.12.13 Contacted MSI
  31.13.13 Contacted MSI
  02.01.14 MSI contacted me and started to fix the security holes
  03.01.14 MSI fixed the security holes I discovered
  Well, in my opinion more than 2 weeks to fix a security hole is just to long, but everything should be fine now.
  Have a nice day,
  TheCaptain

• Can you confirm a security hole in file sharing?

  I have found a very annoying security hole, and I wonder if it is unique to my setup. I have my mini set up with file sharing turned on. It has 5 accounts, one administrator, rest ordinary users. My login for the administrative user on my laptop is the same as on the mini. I have not turned on "Back to my Mac."
  From my laptop I navigate to the mini using either (a) the network panel in finder, (b) the local IP (afp://192.168.0.xxx), or the global IP (afp://64.xxx.xxx.xxx). (My router is set up to forward the appropriate ports to the mini's local IP). I mount the administrative user's home directory under apple file sharing. Now I have full access to these files. I DO NOT SAVE THE PASSWORD IN KEYCHAIN. All this is as it should be.
  Now I eject the administrator disk.
  From now on (until I reboot my laptop), I can mount that same disk without a password!
  Can someone confirm?

  {quote:title=William Lloyd wrote:}This is not a security hole.{quote}
  While I can understand that some may consider Kerberos automagically creating what is essentially a keychain without the users express knowledge or consent a "feature", I definitely consider it a bug and a huge security hole.
  The kerberos ticket should not live longer then the user is actually connected to the machine. Currently, if the user clicks the Disconnect button the Kerberos ticket lives on and any future connections to that server will user that ticket. This is not what users (especially novice to intermediate) would expect. If the user clicks the Disconnect button, then they would expect that they are completely disconnected and any further connections to that server would require authentication. Otherwise they leave their machine wide open, hense the security hole.
  The other thing that makes this so nasty is that if the OS decides not to use kerberos, for whatever reason, the behavior is different. It behaves as the user would expect. Clicking Disconnect does completely disconnect you from the server and any future connections will require authentication. So at a minimum there is a dangerous inconsistency in behavior between when the OS uses Kerberos and when it doesn't. That, at a minimum, should be fixed.

• SSL Security Hole in Safari 3

  I noticed a security hole in Safari 3.2.2 regarding a webpage delivered over SSL when including content from a non-secure location. Ironically, I found this in the developer login for the iPhone developer login.
  The login page, which shows as being on a SSL page with an https delivery is trying to load images, such as http://devimages.apple.com/login/images/hero.png. Notice that it is asking from the non-SSL http site.
  Under the new IE8, it is now warning about this issue and gives option to block or not block the non-secure content.
  Under Safari, it shows without warning.
  The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content, creating a security hole.
  Running Safari under Vista Business X64
  Lance

  Do you solved tye probllem below. ???  Can you help me.
  I have the same problem.
  What the format of secinfo, reginfo and what value to to profile gw/reg_no_conn_info ??
  Thanks,
  Vulnerability Details
  Date: Sun 10 May 2009 1:26:13 MET
  Vuln: 300803
  Vulnerability: SAPXPG Remote OS Command Execution at sysnr 3
  ToDo: Set up a project to implement access restriction rules to RFC programs
  with the 'secinfo' and 'reginfo' (only available in SAP Netweaver) mechanism
  CertRef: M906071, SAP 30/08
  Tool Reference: proprietary CERT and IPINS scanner
  Comment:
  Counted in: 2009-07
  Monitor:

• HUGE SECURITY HOLE IN LOGIN FROM SCREEN SAVER

  One of the options in the security panel permits a user to require that a username and password be entered to login once the screen saver locks your account.
  The option is "Require password to wake this computer from sleep or screen saver"
  Although one would assume that the credentials required to wake the computer is the username/password of the account that was being used when the computer went into sleep mode or the screen saver. WRONG!!! Anyone with an account on the machine can enter their username/password and wake the computer and voila that user now has control of the machine as the former user. That's right you guessed it HUGE security hole.
  Anyone thinking that they can wake away from their machine and have the screen saver or sleep mode protect their account after a specified period of time is sadly mistaken. Anyone with an account on the machine can enter their own username and password and drop right into your account right where you left off.
  Can you believe this stuff? No warning, no release note to tell you of such a poorly designed "security" option.
  Apple please fix what must have been an oversight or at least tell people about this intentional design BEFORE they find anyone can wake the computer and become you as a user.
  Thanks,
  JH

  jonathan_2005 wrote:
  One of the options in the security panel permits a user to require that a username and password be entered to login once the screen saver locks your account.
  The option is "Require password to wake this computer from sleep or screen saver"
  Although one would assume that the credentials required to wake the computer is the username/password of the account that was being used when the computer went into sleep mode or the screen saver.
  Never assume
  WRONG!!! Anyone with an account on the machine can enter their username/password and wake the computer and voila that user now has control of the machine as the former user. That's right you guessed it HUGE security hole.
  Anyone with a standard user account? Are you quite sure?
  Anyone thinking that they can wake away from their machine and have the screen saver or sleep mode protect their account after a specified period of time is sadly mistaken. Anyone with an account on the machine can enter their own username and password and drop right into your account right where you left off.
  I never think that way. A more secure lock is ensured by using the screen lock feature of the keychain.
  Can you believe this stuff?
  Not sure what stuff you refer to.
  No warning, no release note to tell you of such a poorly designed "security" option.
  Would you believe that anyone can access your computer? Stolen computers are regularly started up without much problem.
  Apple please fix what must have been an oversight or at least tell people about this intentional design BEFORE they find anyone can wake the computer and become you as a user.
  You are writing to other users like yourself here, not Apple.
  I also presume you are new to the Mac world.

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• Accessing secured content area view from JPDK

  Is it possible to access the secured content are views from JPDK?
  For example if I am logged on as user USER1 in Portal, is it then possible to access WWSBR_ALL_ITEMS as USER1?

  hi,
  You can access Content Area APIs from any user using JDBC calls. But, you may have to grant 'EXECUTE' privileges on those procedures (& SELECT privilege if its a DB object like Table, VIEW).
  If you are using PL/SQL procedures in your application, you can directly access them through PL/SQL calls, otherwise you have to use JDBC.
  --Sriram                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Disable preferences option to temporarily save documents (security hole?)

  Hi Adobe Community,
  we have a project where we want to use Adobe Acrobat X as Scan-Software for secure content. With the help of a predefined action, the scan gets directly encrypted.
  The problem that we have with this approach, is that there is a preference option that allows to temporarily save the document in regular time periods (1-99 minutes). If this option can be activated by the end-user, there may be secure content on the hard drive of the PC without encryption. This would be a security hole - therefore the question:
  Can this preference be deactivated by default from the central IT. Effectively, only 2 workstations in a special secure area need to have this special configuration.
  Thanks & Best Regards
  Kristian

  Simple answer - no. Users can always access their preferences.

• SQ02 Infoset - security hole - authority

  Hi,
  I have heard, that SQ02 (creating Infosets) has several security holes (regarding authorizations). Does anybody know about it and could specify these holes?
  Thanks
  Markus

  HI,
  When u create an infoset, you attach user group to the infoset. In user group, you specify multiple users that can have access to your infoset and query.
  So these multiple users can have access to ur infoset and then can change the code.
  But if you restrict the authorisation to users and not allow them to change or create queries using ur infoset.
  object S_QUERY Revokes authorization to change or create queries for a specific user.
  Hope this will help u.
  Reward points if its helpful
  Thanks,
  Vijay

• Planning Refresh wiping out access security

  Hi,
  We are facing issues with access secuirty getting wiped out from planning applications
  We need assistance in researching what is causing the read/write access security to get wiped out from planning applications. Twice now in the last month this security has been eliminated and had to be manually reloaded.
  This is how the refresh script looks like, we perform refresh on daily basis. Refresh completes with no issues.
  . /opt/hyperion/Planning/bin/CubeRefresh.sh /A:appname /U:$UID /P:$PWD /R /D /FS
  CubeRefresh.sh look like this
  PLN_JAR_PATH=/opt/hyperion/Planning/bin
  export PLN_JAR_PATH
  . "${PLN_JAR_PATH}/setHPenv.sh"
  "${HS_JAVA_HOME}/bin/java" -classpath ${CLASSPATH} com.hyperion.planning.HspCubeRefreshCmd $1 $2 $3 $4 $5 $6 $7
  Could someone please assist on this? what could be the possible root cause?

  I take it is version 11.1.1.x then maybe it relates to the following Oracle support doc - "Hyperion Planning Security Disappears After Refreshing Security (Doc ID 1378363.1)"
  Cheers
  John
  http://john-goodwin.blogspot.com/