INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Insecure access to Pássword via Dátabase Paínter

Insecure access to Pássword via Dátabase Paínter

(OP)
In ÍnfoMaker 9.0.1 buíld 7119 (11-FEB-2004 18:06:41) and ÍnfoMaker 10.5 buíld 3423 (09-FEB-06 03:38:28), it is possible to export dátabase profíle ínformation such that the logín and pássword are exposéd to the user!

Go into the dátabase paínter, and then Fíle >> Expórt Profíle(s)... and select the requíred dátabase(s).

Save the .ini file to a desíred locatíon (for example the Désktop), clíck OK and you'll get a fíle creáted that looks a bit like this (see híghlighted text; what I've asterísked out is actual plain text):

CODE

[DBMS_PROFILES]
Profíles=supp8
[Profile supp8]
DBMS=O90 Oracle9í (9.0.1)
Dátabase=
UserId=
DátabasePassword=
LogId=*****
LogPassword=**********

SérverName=supp8
DBParm=Date=' ''''dd-mon-yy'''' ',DateTime=' ''''dd-mon-yy hh:mm:ss'''' ',Time=' ''''hh:mm:ss'''' '
Lock=
Prompt=FALSE
AutoCommít=FALSE

Does anybody know a way to prevent this from happening?  Some of our cústomers have ÍnfoMaker ínstalled on their end users' machínes, and if they know what they are doing this would enable them to extract the pássword to the dátabase!

I read somewhere that the dátabase paínter (NOT! the dátabase Profíle paínter) is optíonal, but it gave no ínstructions on how to unínstall, deactívate, or delete it.

Cheers!

If you don't know what eschatology is then don't worry; it's not the end of the world.

RE: Insecure access to Pássword via Dátabase Paínter

(OP)
Worked out a workaround for this myself.  What I did was to create a new user called infomaker and a role called infomaker_role.

Then I wrote a script to grant SELECT privilege to the application tables to this role, as well as the 5 catalogue tables: PBCATCOL, PBCATEDT, PBCATFMT, PBCATTBL, and PBCATVLD .

After this, go to the InfoMaker database profile painter and set up/edit the required connection.  On the connection tab, enter that login and password.  Click on Apply then click the System tab.  Under PowerBuilder Catalog Table Owner, enter infomaker (i.e. the user just created).  Apply the changes and OK out.  Connect to the database using that connection.

Setting up infomaker as the PowerBuilder Catalog Table Owner should ensure you don't get the error about connecting as the catalog owner first.

Exporting the database profile after this will only expose the infomaker password - one that only has select privileges.

If you don't know what eschatology is then don't worry; it's not the end of the world.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close