- Kyungho Kim
- PowerBuilder
- Friday, 9 March 2018 06:56 AM UTC
This is tech team of Citi Bank Korea.
A couple of KR team's applications have been using the PowerBuilder 12.5 as a client development tool.
[Issue finding]
Vulnerability Assessment team found some issues that DB password is shown in PC memory while connecting to database.
Source code is like below.
SQLCA.DBMS = "O10 Oracle10g (10.1.0)"
SQLCA.ServerName = gs_db_sid
SQLCA.LogId = gs_db_userid
SQLCA.LogPass = "real password" -> this is shown in memory.
SQLCA.AutoCommit = False
SQLCA.DBParm = "CommitOnDisconnect='No',PBDBMS=0"
CONNET USING SQLCA;
KR team had a news conference that SAP provided two fix DLL to solve this issue (PBASE126, PBSHR126). That was via PB12.6 version.
KR team tried to get version 12.6 but it has already been EOVS.
So KR team made a decision to use PowerBuilder 2017 and expected that it also had fix DLL.
One sample application has been updated with using PowerBuilder 2017. But DB password was still shown in memory while connecting to database.
KR team needs to get fix DLL of PowerBuilder 2017 dedicated to solve this issue.
Could you review?
And if there is not included the fix DLL in PowerBuilder 2017 install files, kindly provide it?
KR team also asked this issue even via Penta System. Technology that is the distributor of Korea.
It would be very appreciated, if you reply promptly.
There are replies in this question but you are not allowed to view the replies from this question.
Thanks,
Mark
Thank you so much for your reply.
Could you kindly let KR team know how long will it be or any schedule?
For reference, this is an issue of 2tier client/server way(windows program).
Does Powerserver that you mentioned mean 3tier system?
From Korea Citibank tech.