Re: Security issue with 7.5

Wed, 20 May 2009 09:05:38 -0700 

Axton wrote:
** I would think that the password/username should not be required to fetch resources from the sharedresources directory. This looks to be a problem in the active link 'uidemo: Hover and Tooltips'; hopefully this logic was not replicated. Imho, the pwd url parameter should be deprecated altogether. There is no case to justify it's use as it is insecure by nature. 

Axton Grams


Axton,


I originally found this issue when I was debugging a bit of work flow 
that I created on our custom forms.  I used uidemo as an example rather 
than sharing my definition files & data with BMC support.


   <GRIPE>
   I know from experience the sort of questions that they ask before
   they even start on a problem, even when they have been supplied the
   information!  So if I found the problem with some work flow that
   emanated from BMC then that might speed the process up a bit.
   </GRIPE>


I did not copy my work flow from uidemo - rather I based it on 
information obtained from the documentation and also what I gleaned from 
being part of the Beta program.



There are a number of active links in uidemo that handle use the 
TEMPLATE function and every time that the template is used in the WUT, 
and a graphic is used in that template, then the username and password 
are to be found as part of the URL.  In fact, there is a View field on 
the 'Hover and Tooltips' panel.  When you click on a row in the 'Hover 
on Table Row' table the view field is filled with the processed 
template.  Right click on the view field, chose 'View Source' and you 
get to see the HTML.  In the 'src' of the 'img' tag you will find the 
username and password parts containing the security data.


Ian

------------------------------------------------------------------------
Ian Trimnell, AR System Lead Developer (amongst other jobs),

Specialist Support & Information Team, Academic & Administrative 
Computing Service

Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/

The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).


_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"






















					Reply via email to