I am more than amused by the misnomer JBASE_SECUREHASH_SHA256_BASE64 - I hope no one, especially TEMENOS, is trusting their passwords to a routine callable from jBC that encrypts [in situ] a password [in situ] - the chances of that passing any kind of audit committee are small (and zero if I was on it).
However, clearly the program has been compiled without including the jBC.h file (or possibly some other include) that defines the symbol JBASE_SECUREHASH_SHA256_BASE6 hence the compiler thought it was a variable and as it will not be assigned any value, then ENCRYPT, on trying to use that variable as the numeric key for the encryption type, finds that it is not the number that it is expecting. Did the user who compiled this program not see a message saying "Warning - JBASE_SECUREHASH_SHA256_BASE64 is never assigned a value?" This routine is so full of obvious holes though, that you might as well just comment out that line and accept any password or just not even bother. For a start, though you are obviously unaware of the capabilities of the debugger other than the Q command, the fact that you can enter the debugger and view the source to the password checking routine rather defeats the purpose - I hope that hackers also refrain from reading the debugger manual and that this is at least just a development account. Suppose for instance that you are running some emulation option that treats an unassigned variable as the numeric value 0. This would then use encryption style 0 without you knowing it. If you can enter the debugger and use the V command then you can see the value of all the variables. The fact that the user is typing the password in to a BASIC program that will then carry that image around in system readable memory is, well, need I say anything? The final fact that the encrypted password is stored in a dynamic array element, and that no doubt this is then used as verification means that there is no need for even hacking the original password, all I need is any old word that will hashes to the same thing, but as I can just go steal the encryption from memory anyway, then I don't even need to do that. Estimated time to hack your system - 10 minutes, including 4 minutes to boot my netbook and 5 minutes to put the kettle on. Seriously, just don't be other with the passwords and save yourself the headache. If this is the standard login/encryption for TIB then if you are using it, then you are either a very generous bank and wish to give all the customer's money away, or blissfully unaware (until now perhaps), how stunningly inadequate the security must be. If this is your own routine, then I advise you as an organization to read up on encryption and security as soon as possible. Reading a book on OpenSSL is good start. Jim From: [email protected] [mailto:[email protected]] On Behalf Of kashif ahmed Sent: Friday, May 28, 2010 4:35 AM To: [email protected] Subject: t24 - TIB User Creation Issue Dear all, I am installing and configuring TIB service on WindowsXp platform using jbase 4.1 and JWB 3.7.1 As i go to create the User through SubInitIBuser command a following error received. ================================================================= ------------------------ UserName:KASHIF01 Password: ------------------------ Non-numeric value -- ZERO USED , Variable 'JBASE_SECUREHASH_SHA256_BASE64' , Line 59 , Source SubInitIBuser Trap from an error message, error message name = NON_NUMERIC Source changed to .\PrgMain\SubInitIBuser 0059 MstUserRec<6> = ENCRYPT(User:password,"",JBASE_SECUREHASH_SHA256_BASE6 4) jBASE debugger->Q Are you sure ?Y jBASE debugger , QUIT =============================================================== please any one can advice/comments on that Issue. regards, kashif -- Please read the posting guidelines at: http://groups.google.com/group/jBASE/web/Posting%20Guidelines IMPORTANT: Type T24: at the start of the subject line for questions specific to Globus/T24 To post, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit this group at http://groups.google.com/group/jBASE?hl=en -- Please read the posting guidelines at: http://groups.google.com/group/jBASE/web/Posting%20Guidelines IMPORTANT: Type T24: at the start of the subject line for questions specific to Globus/T24 To post, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit this group at http://groups.google.com/group/jBASE?hl=en
