× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.




In our environment the profile that uses ODBC is authorised to the
stored procedures and only to the SPs.


Do any of your stored procedures call QCMDEXC? If so, wouldn't that mean
that the user profile that QZDASOINIT Jobs run under is authorized to it?


The database is owned by a separate profile.
The stored procedures are external LANGUAGE RPGLE.
The RPGLE programs are OWNER(database) USRPRF(*OWNER)
The underlying table/views are PUBLIC(*EXCLUDE).


Do you have any user profiles with *allobj authority?


With this design, no end user can directly read or write to the
database; they need to go through the stored procedures.


Didn't you just admit that owner(database) had access to the database? Most
shops have many user profiles that have access to the database.


Assuming an attack that compromises the web server, those procedure
names, parameter lists, and data flows would become known to the
attacker, allowing an injection attack to be launched from the
compromised, but still authorised, web server


That's what occurred at that water district where their IBM i was
compromised. Hackers got control over the IIS server and discovered the IBM
i user ID, password, and IP address located in a .ini file.

The point is that ODBC provides a generic interface for accessing the
database and calling programs on a platform (Windows) that is most
susceptible to being compromised.

It seems to me that
this attack surface is the same whether the underlying communication
between the web/front end and the database/back end is stored
procedures or a web service.


I'm not sure what you mean by the attack surface being the same for
presumably the IBM i HTTP Server - it doesn't provide any access to
QZDASOINIT Jobs - and any access to any other resource must be explicitly
configured - the default is for everything to be locked down. In addition
to IBM object authorities, you have HTTP configuration directives, and
perhaps more importantly, web services provide (at least, should provide) a
vehicle for implementing "application" authorities.

Public forums are probably not the most comfortable place for discussions
about one's security exposure. Hackers can be very innovative.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.