Focal Point
IBIC_pass Exposes Mainframe Password
May 03, 2007, 10:09 AM
Ed HoganIBIC_pass Exposes Mainframe Password
We use WebFOCUS client 5.3.2 with a MVS Reporting Server. User authenication at WebFOCUS sign-on time is via the User's mainframe ID and Password. WebFOCUS captures these values and stores them in &IBIC_user and &IBIC_pass respectively. Is there a way to configure WebFOCUS so that &IBIC_pass is not visible or available? This seems to be a security breach in that anyone who knows how to access &IBIC_pass can literally get the password of any WebFOCUS User in the entire Entrerprise.
WebFOCUS 716 MVS DB2 AIX UDB
May 03, 2007, 11:37 AM
Tony AEd,
A minor item compared to the fact that a certain university in Northern USA has their WebFOCUS portal open to the Internet and you can even access the adhoc fex page.
Just suppose some person with dubious intentions wanted to write a piece of code such as -
CMD ERASE C:/*.*
into the adhoc fex. Who do you think the Uni would blame?
I can now imagine all the Unis in the US of A running around to see if they have this similar exposure.
How did I find this particular Uni? A google search for a WebFOCUS problem!
Sorry for highjacking your topic but I just wanted to point out that security (as you know) is very important and not something a lot of sites think about!
The Uni in question appears to have plugged their little hole now.
T
In FOCUS since 1986 | WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2 | | |
WebFOCUS App Studio 8.2.06 standalone on Windows 10 | |
May 03, 2007, 02:29 PM
susannahyikes
Ed, get in touch with Jim Thorstad at IBI in ny, he's the guy who gives the security talks at summit, or open a case with CSS and request that the css rep contact Jim for you.
hmm. no secrets google can't uncover
| In Focus since 1979///7706m/5 ;wintel 2008/64;OAM security; Oracle db, ///MRE/BID |
May 03, 2007, 05:55 PM
Tony AI have let someone at the Uni know that they have this breach and I have rechecked and it isn't plugged!!
It wasn't me that found this hole either, I just feel that the community should know about these things when they expose their reporting portal to the wider internet.
T
In FOCUS since 1986 | WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2 | | |
WebFOCUS App Studio 8.2.06 standalone on Windows 10 | |
May 03, 2007, 09:32 PM
dhagenIBIC_user and pass are usually configured with a (dontpass) option. This implies that they should not be available beyond the web application. Has someone messed with the site.wfs or another .wfs file and removed the dontpass option?
As far as the CMD ERASE stuff, the server can be configured to not allow op system level commands, thereby preventing this type of attack.
"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
May 04, 2007, 06:54 AM
Dan KennyTony,
Considering that it required a
Technical Memo 4608 issued on 7.1 before this security hole was identified and plugged, it's not surprising that the adhoc fex application is still accessable by non-managed reporting users at a number of installations across the globe. I know our university was bit by this for a period of time after our initial install.
Perhaps Kerry can offer a suggestion of the best way to forward security notifications uncovered by colleagues to the appropriate IBI customer contact?
Dan Kenny
University of Nebraska at Omaha
Prod: WF 7.1.6 Linux BID/MRE/Data Migrator Test: WF 7.6.1 Linux BID/MRE/Data Migrator
May 04, 2007, 09:53 AM
mgrackinIronically, I was checking my SITE.WFS file to see how I plugged this hole to share with everyone on Focal Point and I discovered that I actually only narrowed the hole, not plugged it. Go figure. It is plugged on our production servers now.
I did this by using the following code in the SITE.WFS config file.
<ifdef> IBIF_adhocfex
<htmlform> &APPROOT/baseapp/wfverr98.htm
<exit>
<endif>
Simply put, if the IBIF_adhocfex variable exists, deny the request and send back an HTML page containing a customized error message. I permit no usage of the IBIF_adhocfex variable on our production boxes.
I don't think this will work for everyone since DevStudio uses this variable at times if not all the time.
Does anyone else have a better or more elegant solution? I could not find the Tech Memo on Tech Support.
Thanks!
Mickey
| FOCUS/WebFOCUS 1990 - 2011 |
May 04, 2007, 11:44 AM
Dan KennyThe TM4608 has you invalidate a lot of IBI variables - it also knocks out your ability to run the New Century Corp demos
-- I ended up punching a hole through for IBIAPP_app directory ibinccen......
<if> IBIMR_user EQ NULL OR IBIMR_user EQ ""
<if> IBIF_adhocfex NE NULL OR IBIF_adhocfex NE "" OR \\=
IBIF_ex NE NULL OR IBIF_ex NE "" OR \\=
IBIF_focexec NE NULL OR IBIF_focexec NE "" OR \\=
IBIF_raw NE NULL OR IBIF_raw NE ""
<htmlform> &IBI_HTML_DIR/errorpage.htm
<exit>
<endif>
<endif>
Dan Kenny
University of Nebraska at Omaha
Prod: WF 7.1.6 BID/MRE/Data Migrator Test: WF 7.6.1 BID/MRE/Data Migrator