Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     SQL Pass-through security risks

Read-Only Read-Only Topic
Go
Search
Notify
Tools
SQL Pass-through security risks
 Login/Join
 
Gold member
posted
I have heard from several clients that they would never turn on sql pass-through at their site because of the security risks. But no one seems to know exactly how it can be exploited and how to prevent the supposed risk so they just turn it off.

Does using this feature really pose a risk?

Thanks - Prod 7.6.2 MVS and UNIX

Steve


Dev Studio /7.6.11/7.7.02M
MVS/USS
AIX/SOLARIS
Windows WF Client 7.6.8/7.6.11
 
Posts: 64 | Location: Eastern and middle NC | Registered: March 13, 2007Report This Post
Virtuoso
posted Hide Post
I would say from the standpoint of data access, SQL passthru would allow more access than using the MFD synonym interface as the MFD can be set up to limit what fields are available and other securtiy can be added. Passthu bypasses that.


Leah
 
Posts: 1317 | Location: Council Bluffs, IA | Registered: May 24, 2004Report This Post
Expert
posted Hide Post
SQL Passthru poses no greater risk than if doing the report via a master file description and a TABLE request.

Most shops set up their environment such that there is a single connect string with a generic userid/pw in the edasprof.prf. That connection is used regardless of whether you are using TABLE or SQL Passthru.

The place to protect the tables is in the data source and only allow that generid id access to read-only.

At our shop, we do a lot of the above. But we also have instances where we are required to pass user credentials to the data source. In that case, we use an exit to collect the uid/pw and pass the credentials in a -INCLUDE connect program with amper variables for the credentials.

Hope this clears things up for you.


Ginny
---------------------------------
Prod: WF 7.7.01 Dev: WF 7.6.9-11
Admin, MRE,self-service; adapters: Teradata, DB2, Oracle, SQL Server, Essbase, ESRI, FlexEnable, Google
 
Posts: 2723 | Location: Ann Arbor, MI | Registered: April 05, 2006Report This Post
Master
posted Hide Post
grant select only for your generic user if you're using a generic user to connect to your database...that will at least keep folks from modifying/deleting data.


Prod: Single Windows 2008 Server running Webfocus 7.7.03 Reporting server Web server IIS6/Tomcat, AS400 DB2 database.
 
Posts: 611 | Registered: January 04, 2007Report This Post
Platinum Member
posted Hide Post
The security risk with SQL Passthru exists if you set up DBA security within your master files because SQL Passthru bypasses the master files.


WF 7.7.05
HP-UX - Reporting Server, Windows 2008 - Client, MSSQL 2008, FOCUS Databases, Flat Files
HTML, Excel, PDF
 
Posts: 149 | Location: Dallas, TX | Registered: June 08, 2007Report This Post
Platinum Member
posted Hide Post
In reference to Linus's comment, I would bet that any DBA security set up in the masters could also be done via RDBMS views. You would then grant read access to the particular views and not to the actual tables themselves. I think direct SQL pass-thru is terrific.


Data Migrator 5.3, 7.1, 7.6
WebFOCUS 7.1, 7.6, 7.7
SQL Server, Oracle, DB2
Windows
 
Posts: 126 | Registered: January 18, 2007Report This Post
Master
posted Hide Post
Do I understand this correctly?

your generic ID that connects to your database must have all the rights that you need to do whatever has to be done in webfocus, from the lowest user, to the CEO. If someone figures this out, then they could build an SQL passthru report where they could select salary_amount from salary_table and the generic userID would be passed to the database, as well as the IP address of the webfocus reporting server?

bummer.


Prod: Single Windows 2008 Server running Webfocus 7.7.03 Reporting server Web server IIS6/Tomcat, AS400 DB2 database.
 
Posts: 611 | Registered: January 04, 2007Report This Post
Guru
posted Hide Post
For the reason that Jason mentions, the generic user id can't have the access to more sensitive data. We get more "special" userids and passwords by using the callable exit. This gets invoked at the beginning of the focexec, and then can be in effect for SQL passthrough (or Focus code).


(Prod: WebFOCUS 7.7.03: Win 2008 & AIX hub/Servlet Mode; sub: AS/400 JDE; mostly Self Serve; DBs: Oracle, JDE, SQLServer; various output formats)
 
Posts: 391 | Location: California | Registered: April 14, 2003Report This Post
<SomeUsr>
posted
It really depends on how you have your system setup and how security conscience your System Administrators and Programmers are. There are people that will try to insert SQL or other code into your Web Forms. SQL PassThru could very well be an aid in this exploitation method.
 
Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     SQL Pass-through security risks

Copyright © 1996-2020 Information Builders