Prev
Next
Forums Lawson Business Intelligence/Reporting/Crystal

security hole in LBI

Sort:
You are not authorized to post a reply.
Author
Messages
Jimmy Chiu
Veteran Member
Posts: 641
Veteran Member
9/29/2010 5:49 PM
    I just logged this hole with Lawson. Hopefully they will fix it soon.

    Anyway, here is the security hole.

    Ie: http://server:port/efs/ConfigurationAssistant

    No login check, nothing, and you can make changes.
    Matthew Nye
    Veteran Member
    Posts: 514
    Veteran Member
    9/29/2010 6:15 PM
      Lawson recommends that after the installation this file is renamed and moved out of the EFS directory. Its meant as an installation and troubleshooting device but shouldnt be left in place. Additionally you could secure this specific file using Authentication security through your web server. Security hole, security by obscurity or just another "undocumented functionality" perhaps.
      If any of my answers were helpful an endorsement on LinkedIn would be much appriciated! www.linkedin.com/pub/matthew-nye/1a/886/760/
      Matthew Nye
      Veteran Member
      Posts: 514
      Veteran Member
      10/21/2010 8:41 PM
        Lawson recommends that after the installation this file is renamed and moved out
        of the EFS directory. Its meant as an installation and troubleshooting device
        but shouldnt be left in place. Additionally you could secure this specific file
        using Authentication security through your web server. Security hole, security
        by obscurity or just another "undocumented functionality" perhaps.
        If any of my answers were helpful an endorsement on LinkedIn would be much appriciated! www.linkedin.com/pub/matthew-nye/1a/886/760/
        You are not authorized to post a reply.