Agreed! It's wrong on so many levels... The server process shouldn't even know what the user's password is, much less pass it somewhere else.
I really hope that "fixing" it didn't simply mean "we changed it to a POST" Juan Ingles On Wed, Mar 2, 2011 at 6:35 AM, Axton <axton.gr...@gmail.com> wrote: > ** They should really remove the URL parameters used to pass the username > and password. There is no reason those should EVER be used. It's a bad > thing to do and it's there due to poor design. Anything that uses those URL > parameters is also poorly designed. > > Axton > The opinions, statements, and/or suggested courses of action expressed in > this E-mail do not necessarily reflect those of BMC Software, Inc. My > voluntary participation in this forum is not intended to convey a role as a > spokesperson, liaison or public relations representative for BMC Software, > Inc. > On Wed, Mar 2, 2011 at 12:18 AM, Ian Trimnell <i.d.trimn...@open.ac.uk> > wrote: >> >> ** >> On 01/03/2011 21:25, Larry Barnes wrote: >> >> We have a Service Request template called "Cabinet", when we attempt to >> open it using the Request Entry link we get a java script error. >> The error displays the users logon id and p/w! This is the only >> template that is causing us issues. >> >> A modification was made prior to this error showing up. Some of the >> questions were removed and replaced with different questions. Once the >> questions were sequenced the mapping was removed and rebuilt; this is >> when the problem started. >> The questions were Single Answer Menu type questions. One of the >> questions would not display the menu to select from. >> Finally we completely rebuilt the SRD and everything is working now but >> my concern is why would the user's name and password be displayed on the >> screen? >> Has anyone seen this before? >> The Java error is: >> An error has occurred in the script on this page. >> Line: 123 >> Char: 22 >> Error: Unterminated string constant >> Code: 0 >> URL: >> http://remedyweb/arsys/plugins/SRMSServiceRequestGrowser/params?name=&se >> rver=remedy%2Exxxxxxx%2Ecom&username=tester&pwd=tmp1234&auth=&fieldid=30 >> 2899 >> >> >> Do you want to continue Yes or No >> The actual password and user name are displayed on the screen! >> Thanks for your time, >> Larry B. >> >> Hi Larry, >> >> You don't say which version of the server you are running. When we first >> installed 7.5, when it was released, we noticed that the user details were >> being passed through to web calls (flashboards, images, view fields, etc.) >> and also appearing in log files (especially the active link log file). We >> raised this with BMC and it was fixed during a patch release (I think it was >> there by patch 004, but am not entirely sure). >> >> I have check the BMC support site and it looks as though it was fixed at >> patch 003 of 7.5.00. >> >> If you are using a version of AR System server later than this then it >> looks as though they have exposed the old error again. >> >> Hope this helps in some way, >> >> Ian >> ________________________________ >> Ian Trimnell, Systems Programmer, Client Systems >> Distributed Systems, Information Technology >> Open University, MILTON KEYNES, UK >> Phone: 01908 653741 web: http://www.open.ac.uk/ >> The Open University is incorporated by Royal Charter (RC 000391), an >> exempt charity in England & Wales and a charity registered in Scotland (SC >> 038302). >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
