Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (1)

Resolved DB connection string is shown in PC memory

  1. Issue
0
Votes
Undo
  1. Kyungho Kim
    Kyungho Kim
  2. PowerBuilder
  3. Friday, 9 March 2018 06:56 AM UTC
This is tech team of Citi Bank Korea.  A couple of KR team's applications have been using the PowerBuilder 12.5 as a client development tool. [Issue finding] Vulnerability Assessment team found some issues that DB password is shown in PC memory while connecting to database.  Source code is like below.  SQLCA.DBMS = "O10 Oracle10g (10.1.0)" SQLCA.ServerName = gs_db_sid SQLCA.LogId = gs_db_userid SQLCA.LogPass = "real password" -> this is shown in memory.  SQLCA.AutoCommit = False SQLCA.DBParm = "CommitOnDisconnect='No',PBDBMS=0" CONNET USING SQLCA; KR team had a news conference that SAP provided two fix DLL to solve this issue (PBASE126, PBSHR126). That was via PB12.6 version.  KR team tried to get version 12.6 but it has already been EOVS.  So KR team made a decision to use PowerBuilder 2017 and expected that it also had fix DLL.  One sample application has been updated with using PowerBuilder 2017. But DB password was still shown in memory while connecting to database.  KR team needs to get fix DLL of PowerBuilder 2017 dedicated to solve this issue.  Could you review?  And if there is not included the fix DLL in PowerBuilder 2017 install files, kindly provide it? KR team also asked this issue even via Penta System. Technology that is the distributor of Korea.  It would be very appreciated, if you reply promptly.
  1. SQL
PB 2017 and pfc 2017 problem
http 404 with new pb2017 application
Accepted Answer
Marco Meoni
Marco Meoni Accepted Answer Pending Moderation
  1. Friday, 9 March 2018 08:01 AM UTC
  2. PowerBuilder
  3. # Permalink

Hello Kyungho ,
Appeon is already working with SAP to get that emergency patch into PB 2017, the fix is on the way. However, as you probably already know, PowerServer is not affected by the password problem.
Cheers,
Marco

Comment
Mark Jones
  1. Mark Jones
  2. Friday, 9 March 2018 14:36 PM UTC
Is this an issue for PB Classic 12.5.2?  If so will an EBF be released?  



Thanks,



                Mark

  1. Helpful
Shenn Sellers
  1. Shenn Sellers
  2. Monday, 12 March 2018 16:29 PM UTC
Appeon can only support PB 2017 and later.  For PB 12.6 and lower, you will need to contact SAP. 

  1. Helpful
Kyungho Kim
  1. Kyungho Kim
  2. Tuesday, 13 March 2018 07:35 AM UTC
Hi Marco,



Thank you so much for your reply.

Could you kindly let KR team know how long will it be or any schedule?



For reference, this is an issue of 2tier client/server way(windows program).

Does Powerserver that you mentioned mean 3tier system?



From Korea Citibank tech.
  1. Helpful
There are no comments made yet.
Responses (1)


There are replies in this question but you are not allowed to view the replies from this question.