Today I needed to find who is the developer of an M3 customer modification. There is a bug in the MForms Bookmark of program M3 Customer. Connect Addresses – OIS002 which the developer modified for our customer’s needs, and I needed to report the bug to that developer. But I do not have the MAK training nor tool, so I cannot easily see the list of modifications and their authors. My colleague Shashank remind me of the following answer in M3 Server View.
- Go to M3 Server View (from the Grid Management Pages, or from LifeCycle Manager):
- Find the interactive subsystem that is running the program (in my case OIS002), and select Tools:
- Select Find Class:
- Search for the M3 program (in my case OIS002):
- The line with the customer class will give the file path, version, author, date, and unique ID (in my case I found the author, Rajesh):
- Note: Up to here, we can access this page anonymously, without being an authenticated user nor an administrator (security vulnerability anyone?)
- Now, if we have access to the M3 Business Engine file system, we can open the file itself and see the full list of developers; in my case the file is at:
D:\Infor\M3BE\env\M3BE_15.1_TST\Fix\CUS\VFix\src\mvx\app\pgm\customer\OIS002.java:
That’s it.
Let me know in the comments below if you have other tips. Click Like. Share this post with your colleagues. Click Follow to subscribe. And come write the next blog post with us. This is a volunteer-based community, and your participation keeps this blog going. And send some love to the other M3 blogs too. Thank you.
M3 ideas 
Note: Up to here, we can access this page anonymously, without being an authenticated user nor an administrator (security vulnerability anyone?)
Already logged a case for that, you can actually do a lot more without logging in with some applications. The biggest issue was MEC, but that’s solved. Infor noted that a firewall should handle the access to the admin pages, but they are accessable through the default router..
Remco.
LikeLike
Yep. Holes everywhere. I have a growing pentest list.
LikeLike
We have the same concern. The Management page can be launched by any users. Is there a way to disable the web page, such as to remove the app from the server?
LikeLike
Yes, the general Infor Grid Management Page /grid/info.html is public on its network, revealing hostnames, port numbers and more, and I don’t think you can remove it. It’s OK if you trust your internal network and your users, which is not always safe. Surely don’t put your Infor Grid on the Internet as that would definitely be unsafe. As for the individual Grid application pages (e.g. M3BE, MWS, MEC, Mango, etc.), they are restricted by role and require authentication. I’m not a Grid administrator so you should double check with the Grid admin guide.
LikeLike
Dear Thibaud,
Thanks for your reply. You are right that it is difficult to remove it, as LSO and the web page is sharing the same protocol and the port. However, I just figure out a solution based on packet analysis, which would identify the web page visit and have the remote IP address blocked by using IPSec. It works quite well by identifying and blocking three IP addresses from our UK division.
I would like to share the solution at your website. Do you think it is possible? I have learned a lot from your posts and would like to make some contributions.
Best Regards,
Warren
warren.hou@fennerseals.com
LikeLiked by 1 person
For sure! Sharing good ideas is exactly the spirit of this blog. I will immediately send you an invite for an author account with instructions on how to start. Thank you.
LikeLike
Dear Thibaud,
Thanks a lot! My e-mail address is warren.hou@fennerseals.com
Regards,
Warren
LikeLike
I sent an invite at that email address a few hours ago. Did it reach to you?
LikeLike
No, I checked the junk mail folder as well, and could find it. Can you please send it to my personal e-mail address of warren.dahai.hou@gmail.com?
Regards,
Warren
LikeLike