DHCP Security Leak

Simon Hobson dhcp1 at thehobsons.co.uk
Wed May 2 14:25:18 UTC 2007

guru.bidari at sirvisetti.com wrote:

>We are using one product called as AutoPrint(remote printing solution
>which uses oracle apps, we ftp the generated report from oracle apps to a
>ftp server running on windows) the way it works, we think we have a
>security leak.

So Oracle generates a print job and sends it by FTP to the USERS 
workstation ? What kind of stupid hack is that ?

>After a user scheduled a job and he logged out before the job is finished
>and ftp-ed, it is possible that another user gets that IP-address before
>the output is processed.
>This is more of an issue when concurrent request is re-scheduled to run at
>an interval.
>So we think that it is a leak that another user on a different pc can get
>the output of that request, because that pc has leased the IP-address now.
>Please provide us the solution to overcome this security leak.

As I stated yesterday, under normal circumstances, another 
workstation will NOT get the address assigned to another PC as soon 
as a user logs off. BTW - do you REALLY mean "logged out" and not 
"shut down" ? If the user simply logs out then the PC will still be 
active and will retain it's IP address.

Send the job directly to a network attached printer. Users can still 
intercept it by unplugging the printer and reconfiguring their PC at 
the same address, but at least they can't 'accidentally' get the 

If this isn't good enough, send the job to a secure server and attach 
the printer directly to that - someone could still unplug the printer 
and connect something else, but it's much harder.

And of course, there is also the minor issue of "how do you stop 
someone simply picking up the printout as they walk past ?"

In summary, the ONLY security issue that is in any way DHCP related 
is the decision to FTP a report directly to an arbitrary IP address - 
but in reality this is an application design issue.

More information about the dhcp-users mailing list