Kbase 21632: WebSpeed and Database Security Administration
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
31/12/2004 |
|
Status: Unverified
FACT(s) (Environment):
WebSpeed 3.x
SYMPTOM(s):
** You can only change your own password. (711)
CAUSE:
Security is an important subject and should be taken very seriously. Independent of the measures that are made to ensure security, there is a need (at times) to allow some specific users to be able to change database userid's and/or passwords via the WebSpeed applications. This process can be accomplished but care should be taken when within Webspeed's architecture.
Progress' security allows for only administrators and the specific user to change
passwords. However in a WebSpeed environment the agent connects to the database anonymously. Therefore you must set the user ID to be either the administrator or the user who wishes to change their password. It is much safer to change the ID to the user for that allows for the id and password to be dynamically entered into the application as opposed to hard coding the administrator ID and password into the application where it could be seen by others with access to your uncompelled code.
It is also important to remember to reset the database connection after this update is done. Otherwise the agent will retain the user Identification and will grant the rights of that user to any new requests the agent receives.
FIX:
The following code has been done against the Sports2000 db and has existing users. Please note that due to formatting issues, some lines may need to be realigned before it can be compiled and run.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta name="AUTHOR" content="Alex Pearlstein">
<title>Password Modification</title>
<SCRIPT LANGUAGE="SpeedScript">
Define var allset as c.
Define Var usrid as c.
Define variable usropw as c.
Define variable usrnpw1 as c.
Define variable usrnpw2 as c.
Assign usrid = get-value("tusrid")
usropw = get-value("tusropw")
usrnpw1 = get-value("tusrnpw1")
usrnpw2 = get-value("tusrnpw2").
IF usrnpw1 NE usrnpw2 THEN assign allset = "<Font color='red'>Your New passwords didn't match</font>".
IF setuserid(usrid,usropw,"sports2000") = true and usrnpw1 = usrnpw2 THEN do:
find first _user where _user._userid = usrid no-error.
assign _user._password = encode(usrnpw1).
Disconnect sports2000.
connect sports2000 -H localhost -S 6130 -N TCP.
assign allset = "<Font color='green'>Password has been successfully changed.</font>".
End.
Else
IF setuserid(usrid,usropw,"sports2000") = false and get-value("SubmitBtn") = "Submit" THEN
assign allset = "<Font color='red'>User not found or Password is incorrect</font>".
</script>
</HEAD>
<BODY>
<form method="POST" name="FormExample">
<Center>
<table border="0" cellpadding="0" cellspacing="2" bgcolor="white">
<TR><td><B>User ID</b></TD><TD><input type="text" size="10" name="tusrid" value=`usrid`></td></tr>
<TR><td><B>User Password</b></TD><TD><input type="text" size="10" name="tusropw" value=`usropw` ></td></tr>
<TR><td><B>New Password</b></TD><TD><input type="text" size="10" name="tusrnpw1" value=`usrnpw1`></td></tr>
<TR><td><B>confirm new Password</b></TD><TD><input type="text" size="10" name="tusrnpw2" value=`usrnpw2`></td></tr>
<td><center><input type="submit" name="SubmitBtn" value="Submit"></center></td>
<TR><TD colspan="2">`allset`</TD></TR>
</form>
</BODY>
</HTML>