SOI User names and passwords are shown in the source code

book

Article ID: 111004

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction



Is it a security risk that SOI has usernames and encrypted passwords in configuration files ?

Environment

SOI 4.0
SOI 4.2

Resolution

SOI UI and Manager are admin portals. SOI application connects to various connectors such as databases, smtp, etc. These user configuration details such as hostname,username,password,port are entered by the administrator. When the administrator revisits the configuration pages, he sees the password value in encrypted form and not in clear text.
(input type="hidden" size="30" name="smtpPassword_value" value="EIBxlDsGeasfM1IL15ipNity4MXh19HPi4eJgmH6TQ5W")
1. Only SOI Application can decrypt the encrypted value
2. Only Administrator have access to Configuration Pages
3. The Configuration details are added in administrator pages only by the admin
4. Even when attacker gains admin credentials through various means, he can only see the password in encrypted form and cannot decrypt the password.