MSIR.0559 WEBLOGCOOKIE and WEBPUBLOG are mutually exclusive parameters: Difference between revisions
(Automatically generated page update) |
(Automatically generated page update) |
||
Line 1: | Line 1: | ||
Both the WEBLOGCOOKIE and the WEBPUBLOG parameter were specified on a JANUS DEFINE command. WEBPUBLOG makes it possible for a public (non-password-protected) login to a userid that has system manager privileges by giving the WEBUSER userid system manager privileges either in CCASTAT or an external authorizer. While this might be intended and somewhat "safe" it is not recommended operating procedure. Specifying WEBLOGCOOKIE with WEBPUBLOG makes the situation considerably worse by making it possible for a user (or hacker) to set the login cookie to a userid of a system manager and then having WEBPUBLOG cause the user's request to run with system manager privileges. While it still might not be possible for a user (or hacker) to take advantage of this (depending on the web applications) it was deemed to dangerous to allow WEBLOGCOOKIE to be used in conjunction with WEBPUBLOG. If the ability to use both these facilities is essential, contact [[Contacting Rocket Software Technical Support|Technical Support]] to see what might be done. | Both the WEBLOGCOOKIE and the WEBPUBLOG parameter were specified on a JANUS DEFINE command. WEBPUBLOG makes it possible for a public (non-password-protected) login to a userid that has system manager privileges by giving the WEBUSER userid system manager privileges either in CCASTAT or an external authorizer. While this might be intended and somewhat "safe" it is not recommended operating procedure. Specifying WEBLOGCOOKIE with WEBPUBLOG makes the situation considerably worse by making it possible for a user (or hacker) to set the login cookie to a userid of a system manager and then having WEBPUBLOG cause the user's request to run with system manager privileges. While it still might not be possible for a user (or hacker) to take advantage of this (depending on the web applications) it was deemed to dangerous to allow WEBLOGCOOKIE to be used in conjunction with WEBPUBLOG. If the ability to use both these facilities is essential, contact [[Contacting Rocket Software Technical Support|Technical Support]] to see what might be done. | ||
{{Template:MSIR.0559 footer}} | |||
[[Category:Sirius Mods messages]] [[Category:MSIR.0400 - MSIR.0599]] | [[Category:Sirius Mods messages]] [[Category:MSIR.0400 - MSIR.0599]] |
Revision as of 20:34, 11 July 2016
Both the WEBLOGCOOKIE and the WEBPUBLOG parameter were specified on a JANUS DEFINE command. WEBPUBLOG makes it possible for a public (non-password-protected) login to a userid that has system manager privileges by giving the WEBUSER userid system manager privileges either in CCASTAT or an external authorizer. While this might be intended and somewhat "safe" it is not recommended operating procedure. Specifying WEBLOGCOOKIE with WEBPUBLOG makes the situation considerably worse by making it possible for a user (or hacker) to set the login cookie to a userid of a system manager and then having WEBPUBLOG cause the user's request to run with system manager privileges. While it still might not be possible for a user (or hacker) to take advantage of this (depending on the web applications) it was deemed to dangerous to allow WEBLOGCOOKIE to be used in conjunction with WEBPUBLOG. If the ability to use both these facilities is essential, contact Technical Support to see what might be done.
Message attributes:
RETCODEO=0 | Sets online return code |
---|---|
RETCODEB=4 | Sets batch (single user) return code |
CLASS=E | Error class; the message can be suppressed with the X'04' bit setting of the MSGCTL parameter |
AUDITER | Writes the message with line type ER to the audit trail |
COUNT | Increments the error count (ERCNT) parameter |