Solved

Security issues with Sybase ODBC connections?

Posted on 2004-09-21
9
354 Views
Last Modified: 2008-03-10
We have a Sybase ASE 12.5.0.2 database on Win2k.  We have approximately 50 Win2k/WinXP workstations running a Visual Basic Front-end to retreive data from this database.  Data Access is via an ODBC connection using the Sybase ASE ODBC Driver.  The username/password combination is hidden in the VB-Application and is the same for all users.

The database server is in a secure environment and Windows Access Control is considered good.  The clients are in a non-secure environment and Access Control is poor.

We have disabled the application if it discovers that Tracing has been switched on.

What are other security issues we need to think about?  Do you have any recommended solutions?
0
Comment
Question by:ErichN
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114102
Does the application allow the users to create and pass through query strings?

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114144
Even though the user/password are hidden in the exe, it can be retrieved.  What kind of permission does this login id have?

It should be limited to executing store procedures and/or running selects on views.

Leon
0
 

Author Comment

by:ErichN
ID: 12114727
Leon,

The application completely controls the creation of query strings. I am not concerned about anything the application does - this is well controlled.  I am concerned about the contents of one table, which the user needs read/write access to.  The application restricts access to certain rows in that table.  I am concerned that if the username/password combination became known, access to the whole table would be possible.

The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114798
>>the user needs read/write access to

Why?  Allow access only through store procedures.  No table access should be given.

>>The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.

Yes, this will make it more difficult to retrieve (but not impossible).

In general, I am surprised you do not track induvidual user access through their logon ids.

Leon
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:ErichN
ID: 12115207
>> Allow access only through store procedures.  No table access should be given.

This would be a major rewrite - but yes I understand what you are saying and will check this out more.

>> In general, I am surprised you do not track induvidual user access through their logon ids.

Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.
0
 
LVL 29

Accepted Solution

by:
leonstryker earned 400 total points
ID: 12115411
>>Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.

Have you checked this for dynamic SQL access?  Try this, start the application then the id and password screen comes up type nothing for id and for password type this:

' OR 1=1

If this lets you in, you have a big security hole.

Leon

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12116957
You should also check, whether you have set-up password encryption - otherwise login name and password can be retrieved from captured network comunication. If you want to secure all the communication, use SSL.
0
 

Author Comment

by:ErichN
ID: 12120096
Leon,
I have tested and there is no problem with ' OR 1=1.
In addition, even if they managed to trick the login somehow, a user with an incorrect pseudo username does not have access to the data I want to protect (governed by the application).

Jan Franek,
Where and how do I set up password encryption?

How do I use SSL?

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12120538
On the client's side you can set it in ODBC DSN properties - I think it's on Connection tab. However it need's some changes on server side too - check your Sybase manuals.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Find out what the Office 365 disclaimer function is, why you would use it and its limited ability to create Office 365 signatures.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now