As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
We use WebFOCUS client 5.3.2 with a MVS Reporting Server. User authenication at WebFOCUS sign-on time is via the User's mainframe ID and Password. WebFOCUS captures these values and stores them in &IBIC_user and &IBIC_pass respectively. Is there a way to configure WebFOCUS so that &IBIC_pass is not visible or available? This seems to be a security breach in that anyone who knows how to access &IBIC_pass can literally get the password of any WebFOCUS User in the entire Entrerprise.
A minor item compared to the fact that a certain university in Northern USA has their WebFOCUS portal open to the Internet and you can even access the adhoc fex page.
Just suppose some person with dubious intentions wanted to write a piece of code such as -
CMD ERASE C:/*.*
into the adhoc fex. Who do you think the Uni would blame?
I can now imagine all the Unis in the US of A running around to see if they have this similar exposure.
How did I find this particular Uni? A google search for a WebFOCUS problem!
Sorry for highjacking your topic but I just wanted to point out that security (as you know) is very important and not something a lot of sites think about!
The Uni in question appears to have plugged their little hole now.
T
In FOCUS since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2
WebFOCUS App Studio 8.2.06 standalone on Windows 10
Posts: 5694 | Location: United Kingdom | Registered: April 08, 2004
yikes Ed, get in touch with Jim Thorstad at IBI in ny, he's the guy who gives the security talks at summit, or open a case with CSS and request that the css rep contact Jim for you. hmm. no secrets google can't uncover
In Focus since 1979///7706m/5 ;wintel 2008/64;OAM security; Oracle db, ///MRE/BID
Posts: 3811 | Location: Manhattan | Registered: October 28, 2003
I have let someone at the Uni know that they have this breach and I have rechecked and it isn't plugged!!
It wasn't me that found this hole either, I just feel that the community should know about these things when they expose their reporting portal to the wider internet.
T
In FOCUS since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2
WebFOCUS App Studio 8.2.06 standalone on Windows 10
Posts: 5694 | Location: United Kingdom | Registered: April 08, 2004
IBIC_user and pass are usually configured with a (dontpass) option. This implies that they should not be available beyond the web application. Has someone messed with the site.wfs or another .wfs file and removed the dontpass option?
As far as the CMD ERASE stuff, the server can be configured to not allow op system level commands, thereby preventing this type of attack.
"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
Considering that it required a Technical Memo 4608 issued on 7.1 before this security hole was identified and plugged, it's not surprising that the adhoc fex application is still accessable by non-managed reporting users at a number of installations across the globe. I know our university was bit by this for a period of time after our initial install.
Perhaps Kerry can offer a suggestion of the best way to forward security notifications uncovered by colleagues to the appropriate IBI customer contact?
Dan Kenny University of Nebraska at Omaha Prod: WF 7.1.6 Linux BID/MRE/Data Migrator Test: WF 7.6.1 Linux BID/MRE/Data Migrator
Ironically, I was checking my SITE.WFS file to see how I plugged this hole to share with everyone on Focal Point and I discovered that I actually only narrowed the hole, not plugged it. Go figure. It is plugged on our production servers now.
I did this by using the following code in the SITE.WFS config file.
Simply put, if the IBIF_adhocfex variable exists, deny the request and send back an HTML page containing a customized error message. I permit no usage of the IBIF_adhocfex variable on our production boxes.
I don't think this will work for everyone since DevStudio uses this variable at times if not all the time.
Does anyone else have a better or more elegant solution? I could not find the Tech Memo on Tech Support.
Thanks!
Mickey
FOCUS/WebFOCUS 1990 - 2011
Posts: 995 | Location: Gaithersburg, MD, USA | Registered: May 07, 2003
The TM4608 has you invalidate a lot of IBI variables - it also knocks out your ability to run the New Century Corp demos -- I ended up punching a hole through for IBIAPP_app directory ibinccen......
<if> IBIMR_user EQ NULL OR IBIMR_user EQ ""
<if> IBIF_adhocfex NE NULL OR IBIF_adhocfex NE "" OR \\=
IBIF_ex NE NULL OR IBIF_ex NE "" OR \\=
IBIF_focexec NE NULL OR IBIF_focexec NE "" OR \\=
IBIF_raw NE NULL OR IBIF_raw NE ""
<htmlform> &IBI_HTML_DIR/errorpage.htm
<exit>
<endif>
<endif>
Dan Kenny University of Nebraska at Omaha Prod: WF 7.1.6 BID/MRE/Data Migrator Test: WF 7.6.1 BID/MRE/Data Migrator