Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Security issues with Sybase ODBC connections?

Posted on 2004-09-21
9
381 Views
Last Modified: 2008-03-10
We have a Sybase ASE 12.5.0.2 database on Win2k.  We have approximately 50 Win2k/WinXP workstations running a Visual Basic Front-end to retreive data from this database.  Data Access is via an ODBC connection using the Sybase ASE ODBC Driver.  The username/password combination is hidden in the VB-Application and is the same for all users.

The database server is in a secure environment and Windows Access Control is considered good.  The clients are in a non-secure environment and Access Control is poor.

We have disabled the application if it discovers that Tracing has been switched on.

What are other security issues we need to think about?  Do you have any recommended solutions?
0
Comment
Question by:ErichN
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114102
Does the application allow the users to create and pass through query strings?

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114144
Even though the user/password are hidden in the exe, it can be retrieved.  What kind of permission does this login id have?

It should be limited to executing store procedures and/or running selects on views.

Leon
0
 

Author Comment

by:ErichN
ID: 12114727
Leon,

The application completely controls the creation of query strings. I am not concerned about anything the application does - this is well controlled.  I am concerned about the contents of one table, which the user needs read/write access to.  The application restricts access to certain rows in that table.  I am concerned that if the username/password combination became known, access to the whole table would be possible.

The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 29

Expert Comment

by:leonstryker
ID: 12114798
>>the user needs read/write access to

Why?  Allow access only through store procedures.  No table access should be given.

>>The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.

Yes, this will make it more difficult to retrieve (but not impossible).

In general, I am surprised you do not track induvidual user access through their logon ids.

Leon
0
 

Author Comment

by:ErichN
ID: 12115207
>> Allow access only through store procedures.  No table access should be given.

This would be a major rewrite - but yes I understand what you are saying and will check this out more.

>> In general, I am surprised you do not track induvidual user access through their logon ids.

Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.
0
 
LVL 29

Accepted Solution

by:
leonstryker earned 400 total points
ID: 12115411
>>Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.

Have you checked this for dynamic SQL access?  Try this, start the application then the id and password screen comes up type nothing for id and for password type this:

' OR 1=1

If this lets you in, you have a big security hole.

Leon

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12116957
You should also check, whether you have set-up password encryption - otherwise login name and password can be retrieved from captured network comunication. If you want to secure all the communication, use SSL.
0
 

Author Comment

by:ErichN
ID: 12120096
Leon,
I have tested and there is no problem with ' OR 1=1.
In addition, even if they managed to trick the login somehow, a user with an incorrect pseudo username does not have access to the data I want to protect (governed by the application).

Jan Franek,
Where and how do I set up password encryption?

How do I use SSL?

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12120538
On the client's side you can set it in ODBC DSN properties - I think it's on Connection tab. However it need's some changes on server side too - check your Sybase manuals.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
When it comes to protecting Oracle Database servers and systems, there are a ton of myths out there. Here are the most common.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question