×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
On 7 July 2017 at 13:43, Nathan Andelin <nandelin@xxxxxxxxx> wrote:
ODBC is also too hard to secure.
In our environment the profile that uses ODBC is authorised to the
stored procedures and only to the SPs.
The database is owned by a separate profile.
The stored procedures are external LANGUAGE RPGLE.
The RPGLE programs are OWNER(database) USRPRF(*OWNER)
The underlying table/views are PUBLIC(*EXCLUDE).
With this design, no end user can directly read or write to the
database; they need to go through the stored procedures.
Assuming an attack that compromises the web server, those procedure
names, parameter lists, and data flows would become known to the
attacker, allowing an injection attack to be launched from the
compromised, but still authorised, web server. It seems to me that
this attack surface is the same whether the underlying communication
between the web/front end and the database/back end is stored
procedures or a web service.
--buck
midrange.com
