Protecting Against SQL Injection

Answer

IBM is aware of the concern that clients have surrounding SQL injection. Bearing that in mind, we are outlining several of the built-in safe guards and implementation best practices for your Maximo system.

All interactions with the database are through a single user id and other actions are executed through business objects that connect via that ID. When deploying the system, the id needs a greater set of rights. In production, the rights can be limited by:
1. Removing the capability for the Maximo user to be able to drop a table
2. Removing the capability for the Maximo user to be able to truncate a table
3. Removing the capability for the Maximo user to be able to delete from a table. This option may have to be handled on a table by table basis, as the delete capability may be necessary in some cases but not others.

In most places, where clauses executed by Maximo are built dynamically and executed within the context of a user’s security privileges. For example, if John Smith only has access to see Assets at site 1000, if he adds a comment to the end of his user defined where clause "--", it is not commenting out the clause "siteid = '1000'" that is placed at the beginning of the where clause. Maximo's security wrapper is written before a user defined query is added to the sql statement.

In the rare places that users can execute SQL statements, those being advanced functions of Advanced Search and KPI manager, these applications can be secured. Best practices dictate that only administrative users should be granted access to create KPIs, primarily in a development or test environment, and most users will not need access to the SQL function of Advanced Search. Sig Options are or can be associated with these functions so they can be granted only to the appropriate user groups.

When a where clause is executed, if it contains an inappropriate semicolon it will error out thus eliminating the capability of including a trailing sql statement at the end of the where clause. The value of a property, mxe.db.sqlinjection, can also be set to ‘1’ (0 is the default) to further limit what can be executed in an advanced search. With this value set to 1, any ‘--‘, use of ‘dummy_table’ or ‘dual’ as a table name and any expression like ‘number’ = ‘number’ (i.e. 1=1) will also error when a user tries to execute a search.