From:	CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 25-FEB-1992 20:23:24.84
To:	ARISIA::EVERHART
CC:	
Subj:	Potential Security Problem w SAS V5.18

From:	RELAY-INFO-VAX@CRVAX.SRI.COM@SMTP@CRDGW2
To:	Everhart@Arisia@MRGATE

Received:  by crdgw1.ge.com (5.57/GE 1.123)
	 id AA03682; Tue, 25 Feb 92 19:48:04 EST
Received: From UCBVAX.BERKELEY.EDU by CRVAX.SRI.COM with TCP; Tue, 25 FEB 92 16:42:32 PST
Received: by ucbvax.Berkeley.EDU (5.63/1.43)
	id AA09597; Tue, 25 Feb 92 16:38:37 -0800
Received: from USENET by ucbvax.Berkeley.EDU with netnews
	for info-vax@kl.sri.com (info-vax@kl.sri.com)
	(contact usenet@ucbvax.Berkeley.EDU if you have questions)
Date: 21 Feb 92 17:16:22 GMT
From: van-bc!rsoft!agate!dog.ee.lbl.gov!hellgate.utah.edu!cs.utexas.edu!sun-barr!olivea!spool.mu.edu!umn.edu!msus1.msus.edu!stafford@ucbvax.Berkeley.EDU
Organization: Minnesota State University System
Subject: Potential Security Problem w SAS V5.18
Message-Id: <1992Feb21.111623.207@msus1.msus.edu>
Sender: info-vax-request@kl.sri.com
To: info-vax@kl.sri.com

Attn: VAX/VMS sites with SAS V5.18

It has been affirmed by two other SAS sites that some (probably early) SAS
Version 5.18 sites have a potentially grave installation bug (oversight)
which allows any mildly informed user to gain all privs and wreak any kind
of havoc. 

The SAS Institute found same oversight in their own in-house installation
over a year ago and to my knowledge has not informed their clients.

For details, inquire Stafford@Vax2.Winona.MSUS.EDU
                  or SYSTEM@Vax2.Winona.MSUS.EDU

 I will respond only to SYSTEM at VAX/VMS sites.