Thanks for bringing this up. For now the issue with showing password in the logs files is resolved in 7.5.
>>** I would think that the password/username should not be required to fetch >>resources from the sharedresources directory. This looks to be a problem in >>the active link 'uidemo: Hover and Tooltips'; hopefully this logic was not >>replicated. Imho, the pwd url parameter should be deprecated altogether. >>There is no case to justify it's use as it is insecure by nature. The shared resources, are fetched by Mid-tier from the AR-Server, and when asked for shared resources( used in Templates), in user tool, it doesn't fetch it from AR server, but points to the Mid-tier URL and renders the same in the View field. However, there is still an open issue being worked upon, "the password in the url parameter" Regards, Ravishankar The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Axton Sent: Wednesday, May 20, 2009 9:12 PM To: [email protected] Subject: Re: Security issue with 7.5 ** I would think that the password/username should not be required to fetch resources from the sharedresources directory. This looks to be a problem in the active link 'uidemo: Hover and Tooltips'; hopefully this logic was not replicated. Imho, the pwd url parameter should be deprecated altogether. There is no case to justify it's use as it is insecure by nature. Axton Grams The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. On Wed, May 20, 2009 at 7:13 AM, Ian Trimnell <[email protected]<mailto:[email protected]>> wrote: ** Greetings ARSlist. We have come across a fairly large security issue with AR System 7.5. If you use any of the new-style Templates which include in them graphics and then attempt to display these on the Windows Client (WUT) with active link logging turned on the Username and Password of the user will be displayed in clear text in the log file. The following is an edited version of the issue that I have open with our BMC Partner (Fusion): I have created a dummy account on our 7.5 patch 001 system and have logged in with that account using the 7.5 patch 001 WUT. I then turned on Active Link logging. Next I opened the uidemo form that BMC have provided as that has a number of templates with graphics in them. I clicked on the "Hover and Tooltips" panel and hovered the mouse over a row in the "Hover on Table Row" table. The window that resulted had the template text but no graphic was displayed (possibly understandable with the WUT). I then turned logging off. Search through the log file for any references to the field "Format Buffer" and you will see the full URL of any graphics file being shown along with the FULL log-in credentials of the dummy user. Here is any extract from the log file: <ACTL> Checking uidemo: Hover and Tooltips - on row select (0) <ACTL> -> Passed qualification -- perform if actions <ACTL> 0: Set Fields <ACTL> Format Buffer (536971496) = <html> <body leftmargin="0" topmargin="0"> <!--<div style="height:100%; background:#E6E6E6"> --> <table border="0"> <tr> <td><img src="http://newcicero.open.ac.uk:8888/arsys/sharedresources/image/ -<http://newcicero.open.ac.uk:8888/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1> srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw -<http://newcicero.open.ac.uk:8888/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1> d=Youshouldntseethis&auth&native=1"<http://newcicero.open.ac.uk:8888/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1>/></td> <td colspan="2" style="padding:3px; vertical-align:top; font-weight:bold">Advanced</td> </tr> <tr> <td colspan="2"><font size="2">Advanced services including everything from A-Z</font></td> </tr> </table> <!-- </div> --> </body> </html> We are getting round this problem now by amending the workflow that calls the template so that a graphics-free template is used for WUT users. I am posting this here as I think that the wider AR System community need to know. If I get any feedback from BMC I will post it here, but going on another issue I currently have open with BMC I'm not holding my breath for an answer in the short term. Cheers, Ian ________________________________ Ian Trimnell, AR System Lead Developer (amongst other jobs), Specialist Support & Information Team, Academic & Administrative Computing Service Open University, MILTON KEYNES, UK Phone: 01908 653741 web: http://www.open.ac.uk/ The Open University is incorporated by Royal Charter (RC 000391), an exempt charity in England & Wales and a charity registered in Scotland (SC 038302). _Platinum Sponsor: [email protected]<mailto:[email protected]> ARSlist: "Where the Answers Are"_ _Platinum Sponsor: [email protected] ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:[email protected] ARSlist: "Where the Answers Are"
