Just as some supporting information, when you pass the username and password in this way, these are some of the potential places the username and password will be stored: - browser cache - web server logs - forward proxy server logs - reverse proxy server logs - 3rd party web server logs (as the referrer)
And of course every wire between you and the web server and every wire between any 3rd party web servers that you load content from and your web server. If your network has IDS/IPS systems, it probably goes into the logs there too. If your network is heavily monitored and network traffic is collected and retained, it's in those logs too. So when you use this method to log in, you stamp your credentials all over the place for prying eyes to see, whether it's the next person that logs into the workstation, an person (of good or mal-intent) on various servers (that you may or may not own). If you use this regularly, then the logs on those servers become a treasure trove of login information. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. On Thu, Mar 10, 2011 at 9:36 AM, Axton <axton.gr...@gmail.com> wrote: > It's just my opinion, which is that it is fire, and if you play with it > you could get burned. I don't use it, I will never use it, and I will > recommend the same for anyone else that is thinking of using it or > suggesting it's use. > > Axton Grams > > The opinions, statements, and/or suggested courses of action expressed in > this E-mail do not necessarily reflect those of BMC Software, Inc. My > voluntary participation in this forum is not intended to convey a role as a > spokesperson, liaison or public relations representative for BMC Software, > Inc. > > On Thu, Mar 10, 2011 at 9:05 AM, Craig Carter < > craig.car...@arpc.denver.af.mil> wrote: > >> The parameters are there as an option--you don't have to use them. >> While you can state your opinion, you should not call for removal of >> existing functionality when a lot of sites/companies are already using these >> and there are situations where they are needed and are perfectly fine. >> >> Bugs should obviously be fixed. >> >> Craig Carter >> >> >> -----Original Message----- >> From: Action Request System discussion list(ARSList) [mailto: >> arslist@ARSLIST.ORG] On Behalf Of Juan Ingles >> Sent: Wednesday, March 02, 2011 3:42 PM >> To: arslist@ARSLIST.ORG >> Subject: Re: Java script error - security issue >> >> Agreed! It's wrong on so many levels... >> The server process shouldn't even know what the user's password is, >> much less pass it somewhere else. >> >> I really hope that "fixing" it didn't simply mean "we changed it to a >> POST" >> >> Juan Ingles >> >> >> >> On Wed, Mar 2, 2011 at 6:35 AM, Axton <axton.gr...@gmail.com> wrote: >> > ** They should really remove the URL parameters used to pass the >> username >> > and password. There is no reason those should EVER be used. It's a bad >> > thing to do and it's there due to poor design. Anything that uses those >> URL >> > parameters is also poorly designed. >> > >> > Axton >> > The opinions, statements, and/or suggested courses of action expressed >> in >> > this E-mail do not necessarily reflect those of BMC Software, Inc. My >> > voluntary participation in this forum is not intended to convey a role >> as a >> > spokesperson, liaison or public relations representative for BMC >> Software, >> > Inc. >> > On Wed, Mar 2, 2011 at 12:18 AM, Ian Trimnell <i.d.trimn...@open.ac.uk> >> > wrote: >> >> >> >> ** >> >> On 01/03/2011 21:25, Larry Barnes wrote: >> >> >> >> We have a Service Request template called "Cabinet", when we attempt to >> >> open it using the Request Entry link we get a java script error. >> >> The error displays the users logon id and p/w! This is the only >> >> template that is causing us issues. >> >> >> >> A modification was made prior to this error showing up. Some of the >> >> questions were removed and replaced with different questions. Once the >> >> questions were sequenced the mapping was removed and rebuilt; this is >> >> when the problem started. >> >> The questions were Single Answer Menu type questions. One of the >> >> questions would not display the menu to select from. >> >> Finally we completely rebuilt the SRD and everything is working now but >> >> my concern is why would the user's name and password be displayed on >> the >> >> screen? >> >> Has anyone seen this before? >> >> The Java error is: >> >> An error has occurred in the script on this page. >> >> Line: 123 >> >> Char: 22 >> >> Error: Unterminated string constant >> >> Code: 0 >> >> URL: >> >> >> http://remedyweb/arsys/plugins/SRMSServiceRequestGrowser/params?name=&se >> >> >> rver=remedy%2Exxxxxxx%2Ecom&username=tester&pwd=tmp1234&auth=&fieldid=30 >> >> 2899 >> >> >> >> >> >> Do you want to continue Yes or No >> >> The actual password and user name are displayed on the screen! >> >> Thanks for your time, >> >> Larry B. >> >> >> >> Hi Larry, >> >> >> >> You don't say which version of the server you are running. When we >> first >> >> installed 7.5, when it was released, we noticed that the user details >> were >> >> being passed through to web calls (flashboards, images, view fields, >> etc.) >> >> and also appearing in log files (especially the active link log file). >> We >> >> raised this with BMC and it was fixed during a patch release (I think >> it was >> >> there by patch 004, but am not entirely sure). >> >> >> >> I have check the BMC support site and it looks as though it was fixed >> at >> >> patch 003 of 7.5.00. >> >> >> >> If you are using a version of AR System server later than this then it >> >> looks as though they have exposed the old error again. >> >> >> >> Hope this helps in some way, >> >> >> >> Ian >> >> ________________________________ >> >> Ian Trimnell, Systems Programmer, Client Systems >> >> Distributed Systems, Information Technology >> >> Open University, MILTON KEYNES, UK >> >> Phone: 01908 653741 web: http://www.open.ac.uk/ >> >> The Open University is incorporated by Royal Charter (RC 000391), an >> >> exempt charity in England & Wales and a charity registered in Scotland >> (SC >> >> 038302). >> >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> > >> > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> >> >> _______________________________________________________________________________ >> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >> attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are" >> >> >> _______________________________________________________________________________ >> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >> attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are" >> > > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
