Angular development and potential SQL injection attack: imxclient.exe.config settings help


We're working on the angular project for our v91 web portal and found out that whenever a user that only has these roles: Birthday Assingments/everyone (change and lookup) will find a potential SQL injection attack error upon login to the angular web portal. 

I've followed this thread:  RE: Potential SQL injection attack by brute-force querying the rest api  and it seems fine for a production system. But how about a development environment? In our case , we run a local apiserver with imxclient.exe that runs on localhost:8182 but we're unable to get rid of the problem. We've added that baseURL setting to imxclient.exe.config to no success. This local api server connects a database. The QBMWebApplication BaseURL for this database is, obviously, different from the baseURL in the local api server. Changed the baseURL in imxclient to match the one in the database but the problem is still there. Guys, this is really confusing. 

Furthermore, could anyone explain in depth how the settings in imxclient.exe.config work? For we've been trying to use the app server connection string in connectionsStrings and appSetings but still are unable to run searchs using the web portal that runs on the local apiserver.


  • Our database layer (VI.DB) automatically detects statetements that may be "harmful" or allow to access data bypassing security settings.
    Unfortunately some of the statements the API server uses fall under this category.

    One solution for this problem is to tell the database layer, that the statements come from a web application and that the web application takes care of preventing harmful access. To do so, the web application's entry in the database table QBMWebApplicationn stores a Trusted Source Key and the web application stores the same TrustedSourceKey in its web.config connectionStrings section.

    This source key is automatically added to the database and the web.config during the installation of the web application with the web installer and so you normally don't get bothered with that whole topic.

    When starting an API server locally using the ImxClient you can basically use the same mechanism but you have do configure it manually. This article tells you how to achieve that.

    Determine the TrustedSourceKey

    The easiest way is to install a web application and then copy the raw value from the deciphered web.config and the crypted value from the db table QBMWebApplication.

    Store the TrustedSourceKey in ImxClient.exe.config

    1. If not present, add this section definition for the connectionbehavior section to the configSections node.
      Here's an example of how this might look like:
          <section name="connectionbehaviour" type="System.Configuration.NameValueSectionHandler" />
    2. If not present add a section named connectionbehaviour to your configuration.
    3. Within the connectionbehavior section add a value for the key TrustedSourceKey.
      Here's an example of how the connectionbehaviour section could look like:
        <add key="TrustedSourceKey" value="ELLZ5Z6VZ5ERGHIC1SQSEHFHNSV5444S" />
      </connectionbehaviour >

    Store the TrustedSourceKey in the database

    In the database you want to connect to create an entry in the table QBMWebApplication with the following column values

    • BaseURL: http://localhost:8182
    • TrustedSourceKey: <the crypted trusted source key>

    You could use the ObjectBrowser to create this data or the Designer.exe.
    If you use the Designer.exe go to Base data > Security settings > Web server configurations.

    Start the local API server

    When starting the local APIServer you have to make sure to give the paramater for baseurl: /baseurl
    Even if you just use the default base url http://localhost:8182 you have to pass /baseurl http://localhost:8182 to make this solution work.

    So your call looks something like this:
    ImxClient.exe run-apiserver -B /htmldir ixweb /baseurl http://localhost:8182

  • If you do not specify an authentication string you will see the connection dialog. The same is true for the connection strings.

Reply Children