security hole in LBI

 2 Replies
 0 Subscribed to this topic
 22 Subscribed to this forum
Sort:
Author
Messages
Jimmy Chiu
Veteran Member
Posts: 641
Veteran Member
    I just logged this hole with Lawson. Hopefully they will fix it soon.

    Anyway, here is the security hole.

    Ie: http://server:port/efs/ConfigurationAssistant

    No login check, nothing, and you can make changes.
    Matthew Nye
    Veteran Member
    Posts: 514
    Veteran Member
      Lawson recommends that after the installation this file is renamed and moved out of the EFS directory. Its meant as an installation and troubleshooting device but shouldnt be left in place. Additionally you could secure this specific file using Authentication security through your web server. Security hole, security by obscurity or just another "undocumented functionality" perhaps.
      If any of my answers were helpful an endorsement on LinkedIn would be much appriciated! www.linkedin.com/pub/matthew-nye/1a/886/760/
      Matthew Nye
      Veteran Member
      Posts: 514
      Veteran Member
        Lawson recommends that after the installation this file is renamed and moved out
        of the EFS directory. Its meant as an installation and troubleshooting device
        but shouldnt be left in place. Additionally you could secure this specific file
        using Authentication security through your web server. Security hole, security
        by obscurity or just another "undocumented functionality" perhaps.
        If any of my answers were helpful an endorsement on LinkedIn would be much appriciated! www.linkedin.com/pub/matthew-nye/1a/886/760/