They should really remove the URL parameters used to pass the username and password. There is no reason those should EVER be used. It's a bad thing to do and it's there due to poor design. Anything that uses those URL parameters is also poorly designed.
Axton The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. On Wed, Mar 2, 2011 at 12:18 AM, Ian Trimnell <i.d.trimn...@open.ac.uk>wrote: > ** > On 01/03/2011 21:25, Larry Barnes wrote: > > We have a Service Request template called "Cabinet", when we attempt to > open it using the Request Entry link we get a java script error. > The error displays the users logon id and p/w! This is the only > template that is causing us issues. > > A modification was made prior to this error showing up. Some of the > questions were removed and replaced with different questions. Once the > questions were sequenced the mapping was removed and rebuilt; this is > when the problem started. > The questions were Single Answer Menu type questions. One of the > questions would not display the menu to select from. > > Finally we completely rebuilt the SRD and everything is working now but > my concern is why would the user's name and password be displayed on the > screen? > > Has anyone seen this before? > > The Java error is: > > An error has occurred in the script on this page. > > Line: 123 > Char: 22 > Error: Unterminated string constant > Code: 0 > > URL:http://remedyweb/arsys/plugins/SRMSServiceRequestGrowser/params?name=&se > rver=remedy%2Exxxxxxx%2Ecom&username=tester&pwd=tmp1234&auth=&fieldid=30 > 2899 > > > Do you want to continue Yes or No > > The actual password and user name are displayed on the screen! > > > Thanks for your time, > > Larry B. > > Hi Larry, > > You don't say which version of the server you are running. When we first > installed 7.5, when it was released, we noticed that the user details were > being passed through to web calls (flashboards, images, view fields, etc.) > and also appearing in log files (especially the active link log file). We > raised this with BMC and it was fixed during a patch release (I think it was > there by patch 004, but am not entirely sure). > > I have check the BMC support site and it looks as though it was fixed at > patch 003 of 7.5.00. > > If you are using a version of AR System server later than this then it > looks as though they have exposed the old error again. > > Hope this helps in some way, > Ian > ------------------------------ > Ian Trimnell, Systems Programmer, Client Systems > Distributed Systems, Information Technology > Open University, MILTON KEYNES, UK > Phone: 01908 653741 web: http://www.open.ac.uk/ > The Open University is incorporated by Royal Charter (RC 000391), an exempt > charity in England & Wales and a charity registered in Scotland (SC 038302). > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
