David, You were spot on!! From the 7.5, patch 7 release notes, resolved issues:
SW00368694 - BMC Remedy User did not conceal or encrypt the username and password information when retrieving flashboards data. SW00372303 - When opening a flashboard, BMC Remedy User sent the username and password as part of the URL (GET method), instead of sending them as part of the data portion (POST method) of the mid tier request URL. Time to upgrade. Again. Seems like we barely got to 7.1 (although it has been a couple of years now I guess). Thanks a million, Thad On Fri, Sep 23, 2011 at 2:29 PM, David Durling <[email protected]> wrote: > ** > > Without looking, I think patch 007 of the 7.5 BMC Remedy User fixed a > password-related issue. It should be in the release notes.**** > > ** ** > > David Durling**** > > University of Georgia**** > > ** ** > > *From:* Action Request System discussion list(ARSList) [mailto: > [email protected]] *On Behalf Of *Thad Esser > *Sent:* Friday, September 23, 2011 4:59 PM > *To:* [email protected] > *Subject:* Passwords in URLs**** > > ** ** > > ** **** > > Hi,**** > > I'm pretty sure there's no resolution to this, but I wanted to ask the list > anyway. A user (using the user tool) recently noticed that his password is > displayed in clear text on an error message (see the red box on the attached > screenshot). He happened to be building a PDT for SRM at the time, but I've > seen similar errors on other data visualization fields. We don't see enough > of these errors for me to have ever fully chased it down, although now that > its been brought up to the security team, it is probably going to become a > priority. They say it will show up as clear text in the web logs as well. > **** > > Does anyone have any suggestions on how to eliminate the issue, or explain > it away?**** > > ARS 7.1 on AIX with Oracle 10g remote > Midtier 7.5 p6 > ITSM 7.0.3 p9 > SRM 2.2 p4**** > > Thanks,**** > > Thad**** > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ **** > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
