From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 25-FEB-1992 20:23:24.84 To: ARISIA::EVERHART CC: Subj: Potential Security Problem w SAS V5.18 From: RELAY-INFO-VAX@CRVAX.SRI.COM@SMTP@CRDGW2 To: Everhart@Arisia@MRGATE Received: by crdgw1.ge.com (5.57/GE 1.123) id AA03682; Tue, 25 Feb 92 19:48:04 EST Received: From UCBVAX.BERKELEY.EDU by CRVAX.SRI.COM with TCP; Tue, 25 FEB 92 16:42:32 PST Received: by ucbvax.Berkeley.EDU (5.63/1.43) id AA09597; Tue, 25 Feb 92 16:38:37 -0800 Received: from USENET by ucbvax.Berkeley.EDU with netnews for info-vax@kl.sri.com (info-vax@kl.sri.com) (contact usenet@ucbvax.Berkeley.EDU if you have questions) Date: 21 Feb 92 17:16:22 GMT From: van-bc!rsoft!agate!dog.ee.lbl.gov!hellgate.utah.edu!cs.utexas.edu!sun-barr!olivea!spool.mu.edu!umn.edu!msus1.msus.edu!stafford@ucbvax.Berkeley.EDU Organization: Minnesota State University System Subject: Potential Security Problem w SAS V5.18 Message-Id: <1992Feb21.111623.207@msus1.msus.edu> Sender: info-vax-request@kl.sri.com To: info-vax@kl.sri.com Attn: VAX/VMS sites with SAS V5.18 It has been affirmed by two other SAS sites that some (probably early) SAS Version 5.18 sites have a potentially grave installation bug (oversight) which allows any mildly informed user to gain all privs and wreak any kind of havoc. The SAS Institute found same oversight in their own in-house installation over a year ago and to my knowledge has not informed their clients. For details, inquire Stafford@Vax2.Winona.MSUS.EDU or SYSTEM@Vax2.Winona.MSUS.EDU I will respond only to SYSTEM at VAX/VMS sites.