Re: Security issue with 7.5

2009-05-25 Thread Munukutla,Ravishankar 
Hi Ian,

>> I think that the log file issue has not been resolved in any currently 
>> available version of 7.5 (it is still there in the original release and 
>> patch 001).
Yes, you are correct. This is not resolved in any of the released versions of 
7.5.
This will make it in 7.5 Patch 003. Patch 001 is already released and Patch 002 
is going to be released soon.


>>The URL with user name and password is also shown when you show the source of 
>>any view filed that contains the content of a template.

I agree this is a defect and being worked upon. The same holds true when using 
Flashboards, just that in Flashboard, one doesn't get to do a right click and 
view source.

Regards,

Ravishankar

The opinions, statements, and/or suggested courses of action expressed in this 
E-mail do not necessarily reflect those of BMC Software, Inc.  My voluntary 
participation in this forum is not intended to convey a role as a spokesperson, 
liaison or public relations representative for BMC Software, Inc.


From: Action Request System discussion list(ARSList) 
[mailto:arsl...@arslist.org] On Behalf Of Ian Trimnell
Sent: Monday, May 25, 2009 8:10 PM
To: arslist@ARSLIST.ORG
Subject: Re: Security issue with 7.5

**
Munukutla,Ravishankar wrote:
**
Thanks for bringing this up. For now the issue with showing password in the 
logs files is resolved in 7.5.

>>** I would think that the password/username should not be required to fetch 
>>resources from the sharedresources directory.  This looks to be a problem in 
>>the active link 'uidemo:  Hover and Tooltips'; hopefully this logic was not 
>>replicated.  Imho, the pwd url parameter should be deprecated altogether.  
>>There is no case to justify it's use as it is insecure by nature.

The shared resources, are fetched by Mid-tier from the AR-Server, and when 
asked for shared resources( used in Templates), in user tool, it doesn't fetch 
it from AR server, but points to the Mid-tier URL and renders the same in the 
View field.

However, there is still an open issue being worked upon, "the password in the 
url parameter"

Regards,
Ravishankar

Ravishankar,

I think that the log file issue has not been resolved in any currently 
available version of 7.5 (it is still there in the original release and patch 
001).

The URL with user name and password is also shown when you show the source of 
any view filed that contains the content of a template.

I currently have an issue open with BMC about this which has not yet reached 
any satisfactory solution.  BMC support are still in their prevarication mode 
and haven't agreed that there is any issue to resolve yet.

If you know any different then perhaps you can let them know.

Thanks,

Ian

Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative Computing 
Service
Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an exempt 
charity in England & Wales and a charity registered in Scotland (SC 038302).
_Platinum Sponsor: rmisoluti...@verizon.net ARSlist: "Where the Answers Are"_

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-25 Thread Ian Trimnell 

Munukutla,Ravishankar wrote:

**

Thanks for bringing this up. For now the issue with showing password 
in the logs files is resolved in 7.5.  

 

>>** I would think that the password/username should not be required 
to fetch resources from the sharedresources directory.  This looks to 
be a problem in the active link 'uidemo:  Hover and Tooltips'; 
hopefully this logic was not replicated.  Imho, the pwd url parameter 
should be deprecated altogether.  There is no case to justify it's use 
as it is insecure by nature.


 

The shared resources, are fetched by Mid-tier from the AR-Server, and 
when asked for shared resources( used in Templates), in user tool, it 
doesn't fetch it from AR server, but points to the Mid-tier URL and 
renders the same in the View field.


 

However, there is still an open issue being worked upon, "the password 
in the url parameter"


 


Regards,

Ravishankar


Ravishankar,

I think that the log file issue has not been resolved in any currently 
available version of 7.5 (it is still there in the original release and 
patch 001).


The URL with user name and password is also shown when you show the 
source of any view filed that contains the content of a template.


I currently have an issue open with BMC about this which has not yet 
reached any satisfactory solution.  BMC support are still in their 
prevarication mode and haven't agreed that there is any issue to resolve 
yet.


If you know any different then perhaps you can let them know.

Thanks,

Ian


Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative 
Computing Service

Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-25 Thread Munukutla,Ravishankar 
Thanks for bringing this up. For now the issue with showing password in the 
logs files is resolved in 7.5.

>>** I would think that the password/username should not be required to fetch 
>>resources from the sharedresources directory.  This looks to be a problem in 
>>the active link 'uidemo:  Hover and Tooltips'; hopefully this logic was not 
>>replicated.  Imho, the pwd url parameter should be deprecated altogether.  
>>There is no case to justify it's use as it is insecure by nature.

The shared resources, are fetched by Mid-tier from the AR-Server, and when 
asked for shared resources( used in Templates), in user tool, it doesn't fetch 
it from AR server, but points to the Mid-tier URL and renders the same in the 
View field.

However, there is still an open issue being worked upon, "the password in the 
url parameter"

Regards,
Ravishankar


The opinions, statements, and/or suggested courses of action expressed in this 
E-mail do not necessarily reflect those of BMC Software, Inc.  My voluntary 
participation in this forum is not intended to convey a role as a spokesperson, 
liaison or public relations representative for BMC Software, Inc.

From: Action Request System discussion list(ARSList) 
[mailto:arsl...@arslist.org] On Behalf Of Axton
Sent: Wednesday, May 20, 2009 9:12 PM
To: arslist@ARSLIST.ORG
Subject: Re: Security issue with 7.5

** I would think that the password/username should not be required to fetch 
resources from the sharedresources directory.  This looks to be a problem in 
the active link 'uidemo:  Hover and Tooltips'; hopefully this logic was not 
replicated.  Imho, the pwd url parameter should be deprecated altogether.  
There is no case to justify it's use as it is insecure by nature.

Axton Grams

The opinions, statements, and/or suggested courses of action expressed in this 
E-mail do not necessarily reflect those of BMC Software, Inc.  My voluntary 
participation in this forum is not intended to convey a role as a spokesperson, 
liaison or public relations representative for BMC Software, Inc.
On Wed, May 20, 2009 at 7:13 AM, Ian Trimnell 
mailto:i.d.trimn...@open.ac.uk>> wrote:
**

Greetings ARSlist.

We have come across a fairly large security issue with AR System 7.5.  If you 
use any of the new-style Templates which include in them graphics and then 
attempt to display these on the Windows Client (WUT) with active link logging 
turned on the Username and Password of the user will be displayed in clear text 
in the log file.

The following is an edited version of the issue that I have open with our BMC 
Partner (Fusion):
I have created a dummy account on our 7.5 patch 001 system and have logged in 
with that account using the 7.5 patch 001 WUT. I then turned on Active Link 
logging.
Next I opened the uidemo form that BMC have provided as that has a number of 
templates with graphics in them. I clicked on the "Hover and Tooltips" panel 
and hovered the mouse over a row in the "Hover on Table Row" table. The window 
that resulted had the template text but no graphic was displayed (possibly 
understandable with the WUT).
I then turned logging off.
Search through the log file for any references to the field "Format Buffer" and 
you will see the full URL of any graphics file being shown along with the FULL 
log-in credentials of the dummy user.

Here is any extract from the log file:

 Checking uidemo:  Hover and Tooltips - on row select (0)

 -> Passed qualification -- perform if actions

  0: Set Fields

 Format Buffer (536971496) = 









   http://newcicero.open.ac.uk:/arsys/sharedresources/image/ 
-<http://newcicero.open.ac.uk:/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1>

srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw 
-<http://newcicero.open.ac.uk:/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1>


d=Youshouldntseethis&auth&native=1"<http://newcicero.open.ac.uk:/arsys/sharedresources/image/-srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw-d=Youshouldntseethis&auth&native=1>/>

   Advanced





   Advanced services including everything from 
A-Z











We are getting round this problem now by amending the workflow that calls the 
template so that a graphics-free template is used for WUT users.

I am posting this here as I think that the wider AR System community need to 
know.  If I get any feedback from BMC I will post it here, but going on another 
issue I currently have open with BMC I'm not holding my breath for an answer in 
the short term.

Cheers,

Ian
___

Re: Security issue with 7.5

2009-05-20 Thread Jarl Grøneng 
The other issue is that they also send the password as an url...

--
Jarl

2009/5/20 Ian Trimnell :
> **
> Rick Cook wrote:
>
> ** Shows passwords where?
>
> Rick
>

>
>
> Rick,
>
> The passwords are shown in the clear in the worklog file; the one defined in
> the Tools -> Options box under the Logging tab.
>
> Sorry if I had not been specific enough.
>
> Ian
> 
> Ian Trimnell, AR System Lead Developer (amongst other jobs),
> Specialist Support & Information Team, Academic & Administrative Computing
> Service
> Open University, MILTON KEYNES, UK
> Phone: 01908 653741   web: http://www.open.ac.uk/
> The Open University is incorporated by Royal Charter (RC 000391), an exempt
> charity in England & Wales and a charity registered in Scotland (SC 038302).
> _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: "Where the Answers
> Are"_

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Ian Trimnell 

Axton wrote:
** I would think that the password/username should not be required to 
fetch resources from the sharedresources directory.  This looks to be 
a problem in the active link 'uidemo:  Hover and Tooltips'; hopefully 
this logic was not replicated.  Imho, the pwd url parameter should be 
deprecated altogether.  There is no case to justify it's use as it is 
insecure by nature.


Axton Grams


Axton,

I originally found this issue when I was debugging a bit of work flow 
that I created on our custom forms.  I used uidemo as an example rather 
than sharing my definition files & data with BMC support.


   
   I know from experience the sort of questions that they ask before
   they even start on a problem, even when they have been supplied the
   information!  So if I found the problem with some work flow that
   emanated from BMC then that might speed the process up a bit.
   

I did not copy my work flow from uidemo - rather I based it on 
information obtained from the documentation and also what I gleaned from 
being part of the Beta program.


There are a number of active links in uidemo that handle use the 
TEMPLATE function and every time that the template is used in the WUT, 
and a graphic is used in that template, then the username and password 
are to be found as part of the URL.  In fact, there is a View field on 
the 'Hover and Tooltips' panel.  When you click on a row in the 'Hover 
on Table Row' table the view field is filled with the processed 
template.  Right click on the view field, chose 'View Source' and you 
get to see the HTML.  In the 'src' of the 'img' tag you will find the 
username and password parts containing the security data.


Ian


Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative 
Computing Service

Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Axton 
I would think that the password/username should not be required to fetch
resources from the sharedresources directory.  This looks to be a problem in
the active link 'uidemo:  Hover and Tooltips'; hopefully this logic was not
replicated.  Imho, the pwd url parameter should be deprecated altogether.
There is no case to justify it's use as it is insecure by nature.

Axton Grams

The opinions, statements, and/or suggested courses of action expressed in
this E-mail do not necessarily reflect those of BMC Software, Inc.  My
voluntary participation in this forum is not intended to convey a role as a
spokesperson, liaison or public relations representative for BMC Software,
Inc.

On Wed, May 20, 2009 at 7:13 AM, Ian Trimnell wrote:

> **
>
> Greetings ARSlist.
>
> We have come across a fairly large security issue with AR System 7.5.  If
> you use any of the new-style Templates which include in them graphics and
> then attempt to display these on the Windows Client (WUT) with active link
> logging turned on the Username and Password of the user will be displayed in
> clear text in the log file.
>
> The following is an edited version of the issue that I have open with our
> BMC Partner (Fusion):
>
> I have created a dummy account on our 7.5 patch 001 system and have logged
> in with that account using the 7.5 patch 001 WUT. I then turned on Active
> Link logging.
> Next I opened the uidemo form that BMC have provided as that has a number
> of templates with graphics in them. I clicked on the "Hover and Tooltips"
> panel and hovered the mouse over a row in the "Hover on Table Row" table.
> The window that resulted had the template text but no graphic was displayed
> (possibly understandable with the WUT).
> I then turned logging off.
> Search through the log file for any references to the field "Format Buffer"
> and you will see the full URL of any graphics file being shown along with
> the FULL log-in credentials of the dummy user.
>
> Here is any extract from the log file:
>
>  Checking uidemo:  Hover and Tooltips - on row select (0)
>  -> Passed qualification -- perform if actions
>   0: Set Fields
>  Format Buffer (536971496) = 
> 
> 
> 
> 
> src="http://newcicero.open.ac.uk:/arsys/sharedresources/image/ -
> 
> srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw -
> d=Youshouldntseethis&auth&native=1" 
> />
>Advanced
> 
> 
>Advanced services including everything from 
> A-Z
> 
> 
> 
> 
> 
>
>  We are getting round this problem now by amending the workflow that calls
> the template so that a graphics-free template is used for WUT users.
>
> I am posting this here as I think that the wider AR System community need
> to know.  If I get any feedback from BMC I will post it here, but going on
> another issue I currently have open with BMC I'm not holding my breath for
> an answer in the short term.
>
> Cheers,
>  Ian
> --
> Ian Trimnell, AR System Lead Developer (amongst other jobs),
> Specialist Support & Information Team, Academic & Administrative Computing
> Service
> Open University, MILTON KEYNES, UK
> Phone: 01908 653741   web: http://www.open.ac.uk/
> The Open University is incorporated by Royal Charter (RC 000391), an exempt
> charity in England & Wales and a charity registered in Scotland (SC 038302).
>  _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: "Where the Answers
> Are"_

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Ian Trimnell 

Rick Cook wrote:

** Shows passwords where?

Rick

Sent from my Verizon Wireless BlackBerry


*From*: Ian Trimnell
*Date*: Wed, 20 May 2009 13:32:04 +0100
*To*: 
*Subject*: Re: Security issue with 7.5
Lammey, Peter A. wrote:

**
Are your User accounts setup with specific passwords or are you 
utilizing LDAP authentication?
 


Thanks
Peter Lammey
ESPN IT Client Architecture and Automation
860-766-4761


Peter,

We are using LDAP authentication and this issue shows passwords where 
users are authenticated against our Active Directory server as well as 
those 'local' users (non-AD accounts) whose passwords are stored in 
the User form.


It is rather worrying, as our Partner has pointed out to BMC, if BMC 
have used these functions on their own applications (ITSM et al). We 
are custom built here and have only noticed this when we were 
debugging our system as we plan to upgrade over the coming weekend.


Ian


Rick,

The passwords are shown in the clear in the worklog file; the one 
defined in the Tools -> Options box under the Logging tab.


Sorry if I had not been specific enough.

Ian


Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative 
Computing Service

Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Rick Cook 
Shows passwords where?

Rick

Sent from my Verizon Wireless BlackBerry

-Original Message-
From: Ian Trimnell 

Date: Wed, 20 May 2009 13:32:04 
To: 
Subject: Re: Security issue with 7.5


Lammey, Peter A. wrote:
> **
> Are your User accounts setup with specific passwords or are you 
> utilizing LDAP authentication?
>  
>
> Thanks
> Peter Lammey
> ESPN IT Client Architecture and Automation
> 860-766-4761
>
Peter,

We are using LDAP authentication and this issue shows passwords where 
users are authenticated against our Active Directory server as well as 
those 'local' users (non-AD accounts) whose passwords are stored in the 
User form.

It is rather worrying, as our Partner has pointed out to BMC, if BMC 
have used these functions on their own applications (ITSM et al). We are 
custom built here and have only noticed this when we were debugging our 
system as we plan to upgrade over the coming weekend.

Ian


Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative 
Computing Service
Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Ian Trimnell 

Lammey, Peter A. wrote:

**
Are your User accounts setup with specific passwords or are you 
utilizing LDAP authentication?
 


Thanks
Peter Lammey
ESPN IT Client Architecture and Automation
860-766-4761


Peter,

We are using LDAP authentication and this issue shows passwords where 
users are authenticated against our Active Directory server as well as 
those 'local' users (non-AD accounts) whose passwords are stored in the 
User form.


It is rather worrying, as our Partner has pointed out to BMC, if BMC 
have used these functions on their own applications (ITSM et al). We are 
custom built here and have only noticed this when we were debugging our 
system as we plan to upgrade over the coming weekend.


Ian


Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative 
Computing Service

Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an 
exempt charity in England & Wales and a charity registered in Scotland 
(SC 038302).


___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"

Re: Security issue with 7.5

2009-05-20 Thread Lammey, Peter A. 
Are your User accounts setup with specific passwords or are you utilizing LDAP 
authentication?



Thanks
Peter Lammey
ESPN IT Client Architecture and Automation
860-766-4761




From: Action Request System discussion list(ARSList) 
[mailto:arsl...@arslist.org] On Behalf Of Ian Trimnell
Sent: Wednesday, May 20, 2009 8:13 AM
To: arslist@ARSLIST.ORG
Subject: Security issue with 7.5

**

Greetings ARSlist.

We have come across a fairly large security issue with AR System 7.5.  If you 
use any of the new-style Templates which include in them graphics and then 
attempt to display these on the Windows Client (WUT) with active link logging 
turned on the Username and Password of the user will be displayed in clear text 
in the log file.

The following is an edited version of the issue that I have open with our BMC 
Partner (Fusion):

I have created a dummy account on our 7.5 patch 001 system and have logged in 
with that account using the 7.5 patch 001 WUT. I then turned on Active Link 
logging.
Next I opened the uidemo form that BMC have provided as that has a number of 
templates with graphics in them. I clicked on the "Hover and Tooltips" panel 
and hovered the mouse over a row in the "Hover on Table Row" table. The window 
that resulted had the template text but no graphic was displayed (possibly 
understandable with the WUT).
I then turned logging off.
Search through the log file for any references to the field "Format Buffer" and 
you will see the full URL of any graphics file being shown along with the FULL 
log-in credentials of the dummy user.

Here is any extract from the log file:

 Checking uidemo:  Hover and Tooltips - on row select (0)
 -> Passed qualification -- perform if actions
  0: Set Fields
 Format Buffer (536971496) = 




   http://newcicero.open.ac.uk:/arsys/sharedresources/image/ -
srm_service_advanced.jpg?server=newcicero.open.ac.uk&username=dummy&pw -

d=Youshouldntseethis&auth&native=1"/>
   Advanced


   Advanced services including everything from 
A-Z






We are getting round this problem now by amending the workflow that calls the 
template so that a graphics-free template is used for WUT users.

I am posting this here as I think that the wider AR System community need to 
know.  If I get any feedback from BMC I will post it here, but going on another 
issue I currently have open with BMC I'm not holding my breath for an answer in 
the short term.

Cheers,

Ian

Ian Trimnell, AR System Lead Developer (amongst other jobs),
Specialist Support & Information Team, Academic & Administrative Computing 
Service
Open University, MILTON KEYNES, UK
Phone: 01908 653741   web: http://www.open.ac.uk/
The Open University is incorporated by Royal Charter (RC 000391), an exempt 
charity in England & Wales and a charity registered in Scotland (SC 038302).
_Platinum Sponsor: rmisoluti...@verizon.net ARSlist: "Where the Answers Are"_

Please consider the environment before printing this e-mail.

___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor:rmisoluti...@verizon.net ARSlist: "Where the Answers Are"