Hi Ian, >> I think that the log file issue has not been resolved in any currently >> available version of 7.5 (it is still there in the original release and >> patch 001). Yes, you are correct. This is not resolved in any of the released versions of 7.5. This will make it in 7.5 Patch 003. Patch 001 is already released and Patch 002 is going to be released soon.
>>The URL with user name and password is also shown when you show the source of >>any view filed that contains the content of a template. I agree this is a defect and being worked upon. The same holds true when using Flashboards, just that in Flashboard, one doesn't get to do a right click and view source. Regards, Ravishankar The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Ian Trimnell Sent: Monday, May 25, 2009 8:10 PM To: [email protected] Subject: Re: Security issue with 7.5 ** Munukutla,Ravishankar wrote: ** Thanks for bringing this up. For now the issue with showing password in the logs files is resolved in 7.5. >>** I would think that the password/username should not be required to fetch >>resources from the sharedresources directory. This looks to be a problem in >>the active link 'uidemo: Hover and Tooltips'; hopefully this logic was not >>replicated. Imho, the pwd url parameter should be deprecated altogether. >>There is no case to justify it's use as it is insecure by nature. The shared resources, are fetched by Mid-tier from the AR-Server, and when asked for shared resources( used in Templates), in user tool, it doesn't fetch it from AR server, but points to the Mid-tier URL and renders the same in the View field. However, there is still an open issue being worked upon, "the password in the url parameter" Regards, Ravishankar Ravishankar, I think that the log file issue has not been resolved in any currently available version of 7.5 (it is still there in the original release and patch 001). The URL with user name and password is also shown when you show the source of any view filed that contains the content of a template. I currently have an issue open with BMC about this which has not yet reached any satisfactory solution. BMC support are still in their prevarication mode and haven't agreed that there is any issue to resolve yet. If you know any different then perhaps you can let them know. Thanks, Ian ________________________________ Ian Trimnell, AR System Lead Developer (amongst other jobs), Specialist Support & Information Team, Academic & Administrative Computing Service Open University, MILTON KEYNES, UK Phone: 01908 653741 web: http://www.open.ac.uk/ The Open University is incorporated by Royal Charter (RC 000391), an exempt charity in England & Wales and a charity registered in Scotland (SC 038302). _Platinum Sponsor: [email protected] ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:[email protected] ARSlist: "Where the Answers Are"
