Greetings ARSlist.
We have come across a fairly large security issue with AR System 7.5.
If you use any of the new-style Templates which include in them graphics
and then attempt to display these on the Windows Client (WUT) with
active link logging turned on the Username and Password of the user will
be displayed in clear text in the log file.
The following is an edited version of the issue that I have open with
our BMC Partner (Fusion):
I have created a dummy account on our 7.5 patch 001 system and have
logged in with that account using the 7.5 patch 001 WUT. I then
turned on Active Link logging.
Next I opened the uidemo form that BMC have provided as that has a
number of templates with graphics in them. I clicked on the "Hover
and Tooltips" panel and hovered the mouse over a row in the "Hover
on Table Row" table. The window that resulted had the template text
but no graphic was displayed (possibly understandable with the WUT).
I then turned logging off.
Search through the log file for any references to the field "Format
Buffer" and you will see the full URL of any graphics file being
shown along with the FULL log-in credentials of the dummy user.
Here is any extract from the log file:
<ACTL> Checking uidemo: Hover and Tooltips - on row select (0)
<ACTL> -> Passed qualification -- perform if actions
<ACTL> 0: Set Fields
<ACTL> Format Buffer (536971496) = <html>
<body leftmargin="0" topmargin="0">
<!--<div style="height:100%; background:#E6E6E6"> -->
<table border="0">
<tr>
<td><img
src="http://newcicero.open.ac.uk:8888/arsys/sharedresources/image/ -
srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw -
d=Youshouldntseethis&auth&native=1"/></td>
<td colspan="2" style="padding:3px; vertical-align:top;
font-weight:bold">Advanced</td>
</tr>
<tr>
<td colspan="2"><font size="2">Advanced services including everything from
A-Z</font></td>
</tr>
</table>
<!-- </div> -->
</body>
</html>
We are getting round this problem now by amending the workflow that
calls the template so that a graphics-free template is used for WUT users.
I am posting this here as I think that the wider AR System community
need to know. If I get any feedback from BMC I will post it here, but
going on another issue I currently have open with BMC I'm not holding my
breath for an answer in the short term.
Cheers,
Ian
------------------------------------------------------------------------
Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative
Computing Service
Open University, MILTON KEYNES, UK
Phone: 01908 653741 web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an
exempt charity in England & Wales and a charity registered in Scotland
(SC 038302).
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"