T 4.27 Circumvention of access control via ODBC

Database interfaces provide the users with a connection (Application Programming Interface, API) between the application programs and other databases in the form of drivers.

Examples of database interfaces include:

• ODBC: Open Database Connectivity
• IDAPI: Integrated Database Application Programming Interface
• JDBC: Java Database Connectivity

On such interfaces, the instructions from the application program are translated by the database interface into commands specific to the particular database, the commands are then transmitted to the database, and the results of the commands are transmitted back to the application program.

One component of the communication interface located between the application program and the database is the procedure used to identify the application as a registered database user.

The existing data and system access controls provided by a database can be circumvented when the database is accessed over a database interface and the corresponding drivers are installed, configured, or used incorrectly. In this case, it is impossible to guarantee the protection of confidential data and it is possible to manipulate the data.

Example:

An ODBC data source can be used in Microsoft Excel or Word to integrate information from a database into a document. To enable fast access to this information later on, it is possible to store the query together with the user name and the password. The user name and password are stored in the file as plain text in this case. If the affected Excel or Word document is subsequently given to a third party, then the third party will be able to read the user names and passwords with an editor and possibly gain access to the database.