You will still need to encrypt your http traffic to keep people from reading the username and password off the wire. Even though it's a post, the content may still be logged to your web servers logs depending on how the logging is set up. It may also be logged to your midtier logs depending on how those logs are set up.
Axton Grams On Fri, Sep 23, 2011 at 5:42 PM, Thad Esser <[email protected]> wrote: > ** > David, > > You were spot on!! From the 7.5, patch 7 release notes, resolved issues: > > SW00368694 - BMC Remedy User did not conceal or encrypt the username and > password information when > retrieving flashboards data. > > SW00372303 - When opening a flashboard, BMC Remedy User sent the username > and password as part of > the URL (GET method), instead of sending them as part of the data portion > (POST method) > of the mid tier request URL. > > Time to upgrade. Again. Seems like we barely got to 7.1 (although it has > been a couple of years now I guess). > > Thanks a million, > Thad > > On Fri, Sep 23, 2011 at 2:29 PM, David Durling <[email protected]> wrote: > >> ** >> >> Without looking, I think patch 007 of the 7.5 BMC Remedy User fixed a >> password-related issue. It should be in the release notes.**** >> >> ** ** >> >> David Durling**** >> >> University of Georgia**** >> >> ** ** >> >> *From:* Action Request System discussion list(ARSList) [mailto: >> [email protected]] *On Behalf Of *Thad Esser >> *Sent:* Friday, September 23, 2011 4:59 PM >> *To:* [email protected] >> *Subject:* Passwords in URLs**** >> >> ** ** >> >> ** **** >> >> Hi,**** >> >> I'm pretty sure there's no resolution to this, but I wanted to ask the >> list anyway. A user (using the user tool) recently noticed that his >> password is displayed in clear text on an error message (see the red box on >> the attached screenshot). He happened to be building a PDT for SRM at the >> time, but I've seen similar errors on other data visualization fields. We >> don't see enough of these errors for me to have ever fully chased it down, >> although now that its been brought up to the security team, it is probably >> going to become a priority. They say it will show up as clear text in the >> web logs as well.**** >> >> Does anyone have any suggestions on how to eliminate the issue, or explain >> it away?**** >> >> ARS 7.1 on AIX with Oracle 10g remote >> Midtier 7.5 p6 >> ITSM 7.0.3 p9 >> SRM 2.2 p4**** >> >> Thanks,**** >> >> Thad**** >> >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ **** >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
