SOI User names and passwords are shown in the source code
Article ID: 111004
Updated On:
Products
CA Service Operations Insight (SOI)
Issue/Introduction
Is it a security risk that SOI has usernames and encrypted passwords in configuration files ?
Environment
SOI 4.0
SOI 4.2
SOI 4.2
Resolution
SOI UI and Manager are admin portals. SOI application connects to various connectors such as databases, smtp, etc. These user configuration details such as hostname,username,password,port are entered by the administrator. When the administrator revisits the configuration pages, he sees the password value in encrypted form and not in clear text.
(input type="hidden" size="30" name="smtpPassword_value" value="EIBxlDsGeasfM1IL15ipNity4MXh19HPi4eJgmH6TQ5W")
1. Only SOI Application can decrypt the encrypted value
2. Only Administrator have access to Configuration Pages
3. The Configuration details are added in administrator pages only by the admin
4. Even when attacker gains admin credentials through various means, he can only see the password in encrypted form and cannot decrypt the password.
(input type="hidden" size="30" name="smtpPassword_value" value="EIBxlDsGeasfM1IL15ipNity4MXh19HPi4eJgmH6TQ5W")
1. Only SOI Application can decrypt the encrypted value
2. Only Administrator have access to Configuration Pages
3. The Configuration details are added in administrator pages only by the admin
4. Even when attacker gains admin credentials through various means, he can only see the password in encrypted form and cannot decrypt the password.
Feedback
Yes
No
Powered by
